kafka.security.auth.Resource Java Examples
The following examples show how to use
kafka.security.auth.Resource.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: RangerKafkaAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public Set<Acl> getAcls(Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.getAcls(Resource)");
}
Set<Acl> ret = null;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.getAcls(resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.getAcls(Resource)");
}
return ret;
}
Example #2
| Source File: RangerKafkaAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.getAcls()");
}
scala.collection.immutable.Map<Resource, Set<Acl>> ret = null;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.getAcls();
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.getAcls()");
}
return ret;
}
Example #3
| Source File: TestAclsCrud.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Test
public void testAddAclsForNonExistentRole() {
sentryKafkaAuthorizer = new SentryKafkaAuthorizer();
java.util.Map<String, String> configs = new HashMap<>();
configs.put(KafkaAuthConf.SENTRY_KAFKA_SITE_URL, "file://" + sentrySitePath.getAbsolutePath());
sentryKafkaAuthorizer.configure(configs);
final String role1 = "role1";
Set<Acl> acls = new HashSet<>();
final Acl acl = new Acl(new KafkaPrincipal("role", role1),
Allow$.MODULE$,
"127.0.0.1",
Operation$.MODULE$.fromString("READ"));
acls.add(acl);
scala.collection.immutable.Set<Acl> aclsScala = scala.collection.JavaConversions.asScalaSet(acls).toSet();
Resource resource = new Resource(ResourceType$.MODULE$.fromString("TOPIC"), "test-topic");
try {
sentryKafkaAuthorizer.addAcls(aclsScala, resource);
} catch (Exception ex) {
assertCausedMessage(ex, "Can not add Acl for non-existent Role: role1");
}
}
Example #4
| Source File: ConvertUtil.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
public static List<Authorizable> convertResourceToAuthorizable(String hostname,
final Resource resource) {
List<Authorizable> authorizables = Lists.newArrayList();
authorizables.add(new Host(hostname));
authorizables.add(new Authorizable() {
@Override
public String getTypeName() {
final String resourceTypeName = resource.resourceType().name();
// Kafka's GROUP resource is referred as CONSUMERGROUP within Sentry.
if (resourceTypeName.equalsIgnoreCase("group")) {
return KafkaAuthorizable.AuthorizableType.CONSUMERGROUP.name();
} else {
return resourceTypeName;
}
}
@Override
public String getName() {
return resource.name();
}
});
return authorizables;
}
Example #5
| Source File: RangerKafkaAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.getAcls(KafkaPrincipal)");
}
scala.collection.immutable.Map<Resource, Set<Acl>> ret = null;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.getAcls(principal);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.getAcls(KafkaPrincipal)");
}
return ret;
}
Example #6
| Source File: KafkaAdminClientTest.java From common-kafka with Apache License 2.0 | 6 votes |
|
@Test
public void getAcls() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
Resource topic1 = Resource.fromString(Topic.name() + Resource.Separator() + "topic1");
Resource topic2 = Resource.fromString(Topic.name() + Resource.Separator() + "topic2");
Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
client.addAcls(readAcl, topic1);
client.addAcls(readAcl, topic2);
Map<Resource, Set<Acl>> allAcls = new HashMap<>();
allAcls.put(topic1, readAcl);
allAcls.put(topic2, readAcl);
assertThat(client.getAcls(), is(allAcls));
}
Example #7
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
public void addAcls(scala.collection.immutable.Set<Acl> acls, final Resource resource) {
verifyAcls(acls);
LOG.info("Adding Acl: acl->" + acls + " resource->" + resource);
final Iterator<Acl> iterator = acls.iterator();
while (iterator.hasNext()) {
final Acl acl = iterator.next();
final String role = getRole(acl);
if (!roleExists(role)) {
throw new KafkaException("Can not add Acl for non-existent Role: " + role);
}
execute(new Command<Void>() {
@Override
public Void run(SentryGenericServiceClient client) throws Exception {
client.grantPrivilege(
requestorName, role, COMPONENT_NAME, toTSentryPrivilege(acl, resource));
return null;
}
});
}
}
Example #8
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
public boolean removeAcls(scala.collection.immutable.Set<Acl> acls, final Resource resource) {
verifyAcls(acls);
LOG.info("Removing Acl: acl->" + acls + " resource->" + resource);
final Iterator<Acl> iterator = acls.iterator();
while (iterator.hasNext()) {
final Acl acl = iterator.next();
final String role = getRole(acl);
try {
execute(new Command<Void>() {
@Override
public Void run(SentryGenericServiceClient client) throws Exception {
client.dropPrivilege(
requestorName, role, toTSentryPrivilege(acl, resource));
return null;
}
});
} catch (KafkaException kex) {
LOG.error("Failed to remove acls.", kex);
return false;
}
}
return true;
}
Example #9
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
public boolean removeAcls(final Resource resource) {
LOG.info("Removing Acls for Resource: resource->" + resource);
List<String> roles = getAllRoles();
final List<TSentryPrivilege> tSentryPrivileges = getAllPrivileges(roles);
try {
execute(new Command<Void>() {
@Override
public Void run(SentryGenericServiceClient client) throws Exception {
for (TSentryPrivilege tSentryPrivilege : tSentryPrivileges) {
if (isPrivilegeForResource(tSentryPrivilege, resource)) {
client.dropPrivilege(
requestorName, COMPONENT_NAME, tSentryPrivilege);
}
}
return null;
}
});
} catch (KafkaException kex) {
LOG.error("Failed to remove acls.", kex);
return false;
}
return true;
}
Example #10
| Source File: RangerKafkaAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public boolean removeAcls(Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.removeAcls(Resource)");
}
boolean ret = false;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.removeAcls(resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.removeAcls(Resource)");
}
return ret;
}
Example #11
| Source File: RangerKafkaAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public boolean removeAcls(Set<Acl> acls, Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.removeAcls(Set<Acl>, Resource)");
}
boolean ret = false;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.removeAcls(acls, resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.removeAcls(Set<Acl>, Resource)");
}
return ret;
}
Example #12
| Source File: RangerKafkaAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public void addAcls(Set<Acl> acls, Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.addAcls(Set<Acl>, Resource)");
}
try {
activatePluginClassLoader();
rangerKakfaAuthorizerImpl.addAcls(acls, resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.addAcls(Set<Acl>, Resource)");
}
}
Example #13
| Source File: RangerKafkaAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public boolean authorize(Session session, Operation operation,Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerKafkaAuthorizer.authorize(Session=%s, Operation=%s, Resource=%s)", session, operation, resource));
}
boolean ret = false;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.authorize(session, operation, resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.authorize: " + ret);
}
return ret;
}
Example #14
| Source File: ConvertUtilTest.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Test
public void testCluster() {
String hostname = "localhost";
String clusterName = Resource$.MODULE$.ClusterResourceName();
Resource clusterResource = new Resource(ResourceType$.MODULE$.fromString("cluster"), clusterName);
List<Authorizable> authorizables = ConvertUtil.convertResourceToAuthorizable(hostname, clusterResource);
for (Authorizable auth : authorizables) {
if (auth.getTypeName().equalsIgnoreCase(KafkaAuthorizable.AuthorizableType.CLUSTER.name())) {
Assert.assertEquals(auth.getName(), clusterName);
} else if (auth.getTypeName().equalsIgnoreCase(KafkaAuthorizable.AuthorizableType.HOST.name())) {
Assert.assertEquals(auth.getName(), hostname);
} else {
Assert.fail("Unexpected type found: " + auth.getTypeName());
}
}
Assert.assertEquals(authorizables.size(), 2);
}
Example #15
| Source File: ConvertUtilTest.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Test
public void testTopic() {
String hostname = "localhost";
String topicName = "t1";
Resource topicResource = new Resource(ResourceType$.MODULE$.fromString("topic"), topicName);
List<Authorizable> authorizables = ConvertUtil.convertResourceToAuthorizable(hostname, topicResource);
for (Authorizable auth : authorizables) {
if (auth.getTypeName().equalsIgnoreCase(KafkaAuthorizable.AuthorizableType.TOPIC.name())) {
Assert.assertEquals(auth.getName(), topicName);
} else if (auth.getTypeName().equalsIgnoreCase(KafkaAuthorizable.AuthorizableType.HOST.name())) {
Assert.assertEquals(auth.getName(), hostname);
} else {
Assert.fail("Unexpected type found: " + auth.getTypeName());
}
}
Assert.assertEquals(authorizables.size(), 2);
}
Example #16
| Source File: ConvertUtilTest.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Test
public void testConsumerGroup() {
String hostname = "localhost";
String consumerGroup = "g1";
Resource consumerGroupResource = new Resource(ResourceType$.MODULE$.fromString("group"), consumerGroup);
List<Authorizable> authorizables = ConvertUtil.convertResourceToAuthorizable(hostname, consumerGroupResource);
for (Authorizable auth : authorizables) {
if (auth.getTypeName().equalsIgnoreCase(KafkaAuthorizable.AuthorizableType.CONSUMERGROUP.name())) {
Assert.assertEquals(auth.getName(),consumerGroup);
} else if (auth.getTypeName().equalsIgnoreCase(KafkaAuthorizable.AuthorizableType.HOST.name())) {
Assert.assertEquals(auth.getName(),hostname);
} else {
Assert.fail("Unexpected type found: " + auth.getTypeName());
}
}
Assert.assertEquals(authorizables.size(), 2);
}
Example #17
| Source File: KafkaAdminClientTest.java From common-kafka with Apache License 2.0 | 5 votes |
|
@Test(expected = AdminOperationException.class)
public void removeAcls_zkException() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "user");
Resource resource = Resource.fromString(Topic.name() + Resource.Separator() + "topic");
Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
failureClient.removeAcls(readAcl, resource);
}
Example #18
| Source File: SentryKafkaAuthorizerTest.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
public SentryKafkaAuthorizerTest() throws UnknownHostException {
authorizer = new SentryKafkaAuthorizer();
testHostName1 = InetAddress.getByAddress("host1", new byte[] {1, 2, 3, 4});
testHostName2 = InetAddress.getByAddress("host2", new byte[] {2, 3, 4, 5});
resourceName = Resource$.MODULE$.ClusterResourceName();
clusterResource = new Resource(ResourceType$.MODULE$.fromString("cluster"), resourceName);
topic1Resource = new Resource(ResourceType$.MODULE$.fromString("topic"), "t1");
}
Example #19
| Source File: SentryKafkaAuthorizer.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
@Override
public boolean authorize(RequestChannel.Session session, Operation operation,
Resource resource) {
LOG.debug("Authorizing Session: " + session + " for Operation: " + operation + " on Resource: " + resource);
final KafkaPrincipal user = session.principal();
if (isSuperUser(user)) {
LOG.debug("Allowing SuperUser: " + user + " in " + session + " for Operation: " + operation + " on Resource: " + resource);
return true;
}
LOG.debug("User: " + user + " is not a SuperUser");
return binding.authorize(session, operation, resource);
}
Example #20
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
public Map<Resource, scala.collection.immutable.Set<Acl>> getAcls(KafkaPrincipal principal) {
if (principal.getPrincipalType().toLowerCase().equals("group")) {
List<String> roles = getRolesforGroup(principal.getName());
return getAclsForRoles(roles);
} else {
LOG.info("Did not recognize Principal type: " + principal.getPrincipalType() + ". Returning Acls for all principals.");
return getAcls();
}
}
Example #21
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private TSentryPrivilege toTSentryPrivilege(Acl acl, Resource resource) {
final List<Authorizable> authorizables = ConvertUtil.convertResourceToAuthorizable(acl.host(), resource);
final List<TAuthorizable> tAuthorizables = new ArrayList<>();
for (Authorizable authorizable : authorizables) {
tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
}
TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(COMPONENT_NAME, instanceName, tAuthorizables, acl.operation().name());
return tSentryPrivilege;
}
Example #22
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private boolean isPrivilegeForResource(TSentryPrivilege tSentryPrivilege, Resource resource) {
final java.util.Iterator<TAuthorizable> authorizablesIterator = tSentryPrivilege.getAuthorizablesIterator();
while (authorizablesIterator.hasNext()) {
TAuthorizable tAuthorizable = authorizablesIterator.next();
if (tAuthorizable.getType().equals(resource.resourceType().name())) {
return true;
}
}
return false;
}
Example #23
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private java.util.Map<Resource, scala.collection.immutable.Set<Acl>> rolePrivilegesToResourceAcls(java.util.Map<String, scala.collection.immutable.Set<TSentryPrivilege>> rolePrivilegesMap) {
final java.util.Map<Resource, scala.collection.immutable.Set<Acl>> resourceAclsMap = new HashMap<>();
for (String role : rolePrivilegesMap.keySet()) {
scala.collection.immutable.Set<TSentryPrivilege> privileges = rolePrivilegesMap.get(role);
final Iterator<TSentryPrivilege> iterator = privileges.iterator();
while (iterator.hasNext()) {
TSentryPrivilege privilege = iterator.next();
final List<TAuthorizable> authorizables = privilege.getAuthorizables();
String host = null;
String operation = privilege.getAction();
for (TAuthorizable tAuthorizable : authorizables) {
if (tAuthorizable.getType().equals(KafkaAuthorizable.AuthorizableType.HOST.name())) {
host = tAuthorizable.getName();
} else {
Resource resource = new Resource(ResourceType$.MODULE$.fromString(tAuthorizable.getType()), tAuthorizable.getName());
if (operation.equals("*")) {
operation = "All";
}
Acl acl = new Acl(new KafkaPrincipal("role", role), Allow$.MODULE$, host, Operation$.MODULE$.fromString(operation));
Set<Acl> newAclsJava = new HashSet<Acl>();
newAclsJava.add(acl);
addExistingAclsForResource(resourceAclsMap, resource, newAclsJava);
final scala.collection.mutable.Set<Acl> aclScala = JavaConversions.asScalaSet(newAclsJava);
resourceAclsMap.put(resource, aclScala.<Acl>toSet());
}
}
}
}
return resourceAclsMap;
}
Example #24
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private void addExistingAclsForResource(java.util.Map<Resource, scala.collection.immutable.Set<Acl>> resourceAclsMap, Resource resource, java.util.Set<Acl> newAclsJava) {
final scala.collection.immutable.Set<Acl> existingAcls = resourceAclsMap.get(resource);
if (existingAcls != null) {
final Iterator<Acl> aclsIter = existingAcls.iterator();
while (aclsIter.hasNext()) {
Acl curAcl = aclsIter.next();
newAclsJava.add(curAcl);
}
}
}
Example #25
| Source File: KeycloakRBACAuthorizer.java From strimzi-kafka-oauth with Apache License 2.0 | 5 votes |
|
boolean delegateIfRequested(RequestChannel.Session session, Operation operation, Resource resource, JsonNode authz) {
String nonAuthMessageFragment = session.principal() instanceof JwtKafkaPrincipal ? "" : " non-oauth";
if (delegateToKafkaACL) {
boolean granted = super.authorize(session, operation, resource);
boolean grantLogOn = granted && GRANT_LOG.isDebugEnabled();
boolean denyLogOn = !granted && DENY_LOG.isDebugEnabled();
if (grantLogOn || denyLogOn) {
String status = granted ? "GRANTED" : "DENIED";
String message = "Authorization " + status + " by ACL -" + nonAuthMessageFragment + " user: " + session.principal() + ", operation: " + operation + ", resource: " + resource;
if (grantLogOn) {
GRANT_LOG.debug(message);
} else if (denyLogOn) {
DENY_LOG.debug(message);
}
}
return granted;
}
if (DENY_LOG.isDebugEnabled()) {
DENY_LOG.debug("Authorization DENIED -" + nonAuthMessageFragment + " user: " + session.principal() +
", cluster: " + clusterName + ", operation: " + operation + ", resource: " + resource + ",\n permissions: " + authz);
}
return false;
}
Example #26
| Source File: KafkaAdminClientTest.java From common-kafka with Apache License 2.0 | 5 votes |
|
@Test
public void removeAcls() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
Resource topic1 = Resource.fromString(Topic.name() + Resource.Separator() + "topic1");
Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
client.addAcls(readAcl, topic1);
assertThat(client.getAcls(topic1), is(readAcl));
client.removeAcls(readAcl, topic1);
assertThat(client.getAcls(topic1), is(empty()));
}
Example #27
| Source File: KeycloakRBACAuthorizer.java From strimzi-kafka-oauth with Apache License 2.0 | 5 votes |
|
@Override
public void addAcls(Set<Acl> acls, Resource resource) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
super.addAcls(acls, resource);
}
Example #28
| Source File: KeycloakRBACAuthorizer.java From strimzi-kafka-oauth with Apache License 2.0 | 5 votes |
|
@Override
public boolean removeAcls(Set<Acl> aclsTobeRemoved, Resource resource) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
return super.removeAcls(aclsTobeRemoved, resource);
}
Example #29
| Source File: KeycloakRBACAuthorizer.java From strimzi-kafka-oauth with Apache License 2.0 | 5 votes |
|
@Override
public boolean removeAcls(Resource resource) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
return super.removeAcls(resource);
}
Example #30
| Source File: KeycloakRBACAuthorizer.java From strimzi-kafka-oauth with Apache License 2.0 | 5 votes |
|
@Override
public Set<Acl> getAcls(Resource resource) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
return super.getAcls(resource);
}
