kafka.security.auth.Acl Java Examples
The following examples show how to use
kafka.security.auth.Acl.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: RangerKafkaAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public void addAcls(Set<Acl> acls, Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.addAcls(Set<Acl>, Resource)");
}
try {
activatePluginClassLoader();
rangerKakfaAuthorizerImpl.addAcls(acls, resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.addAcls(Set<Acl>, Resource)");
}
}
Example #2
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
public boolean removeAcls(scala.collection.immutable.Set<Acl> acls, final Resource resource) {
verifyAcls(acls);
LOG.info("Removing Acl: acl->" + acls + " resource->" + resource);
final Iterator<Acl> iterator = acls.iterator();
while (iterator.hasNext()) {
final Acl acl = iterator.next();
final String role = getRole(acl);
try {
execute(new Command<Void>() {
@Override
public Void run(SentryGenericServiceClient client) throws Exception {
client.dropPrivilege(
requestorName, role, toTSentryPrivilege(acl, resource));
return null;
}
});
} catch (KafkaException kex) {
LOG.error("Failed to remove acls.", kex);
return false;
}
}
return true;
}
Example #3
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
public void addAcls(scala.collection.immutable.Set<Acl> acls, final Resource resource) {
verifyAcls(acls);
LOG.info("Adding Acl: acl->" + acls + " resource->" + resource);
final Iterator<Acl> iterator = acls.iterator();
while (iterator.hasNext()) {
final Acl acl = iterator.next();
final String role = getRole(acl);
if (!roleExists(role)) {
throw new KafkaException("Can not add Acl for non-existent Role: " + role);
}
execute(new Command<Void>() {
@Override
public Void run(SentryGenericServiceClient client) throws Exception {
client.grantPrivilege(
requestorName, role, COMPONENT_NAME, toTSentryPrivilege(acl, resource));
return null;
}
});
}
}
Example #4
| Source File: TestAclsCrud.java From incubator-sentry with Apache License 2.0 | 6 votes |
|
@Test
public void testAddAclsForNonExistentRole() {
sentryKafkaAuthorizer = new SentryKafkaAuthorizer();
java.util.Map<String, String> configs = new HashMap<>();
configs.put(KafkaAuthConf.SENTRY_KAFKA_SITE_URL, "file://" + sentrySitePath.getAbsolutePath());
sentryKafkaAuthorizer.configure(configs);
final String role1 = "role1";
Set<Acl> acls = new HashSet<>();
final Acl acl = new Acl(new KafkaPrincipal("role", role1),
Allow$.MODULE$,
"127.0.0.1",
Operation$.MODULE$.fromString("READ"));
acls.add(acl);
scala.collection.immutable.Set<Acl> aclsScala = scala.collection.JavaConversions.asScalaSet(acls).toSet();
Resource resource = new Resource(ResourceType$.MODULE$.fromString("TOPIC"), "test-topic");
try {
sentryKafkaAuthorizer.addAcls(aclsScala, resource);
} catch (Exception ex) {
assertCausedMessage(ex, "Can not add Acl for non-existent Role: role1");
}
}
Example #5
| Source File: RangerKafkaAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.getAcls()");
}
scala.collection.immutable.Map<Resource, Set<Acl>> ret = null;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.getAcls();
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.getAcls()");
}
return ret;
}
Example #6
| Source File: RangerKafkaAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.getAcls(KafkaPrincipal)");
}
scala.collection.immutable.Map<Resource, Set<Acl>> ret = null;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.getAcls(principal);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.getAcls(KafkaPrincipal)");
}
return ret;
}
Example #7
| Source File: RangerKafkaAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public Set<Acl> getAcls(Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.getAcls(Resource)");
}
Set<Acl> ret = null;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.getAcls(resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.getAcls(Resource)");
}
return ret;
}
Example #8
| Source File: KafkaAdminClientTest.java From common-kafka with Apache License 2.0 | 6 votes |
|
@Test
public void getAcls() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
Resource topic1 = Resource.fromString(Topic.name() + Resource.Separator() + "topic1");
Resource topic2 = Resource.fromString(Topic.name() + Resource.Separator() + "topic2");
Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
client.addAcls(readAcl, topic1);
client.addAcls(readAcl, topic2);
Map<Resource, Set<Acl>> allAcls = new HashMap<>();
allAcls.put(topic1, readAcl);
allAcls.put(topic2, readAcl);
assertThat(client.getAcls(), is(allAcls));
}
Example #9
| Source File: RangerKafkaAuthorizer.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
public boolean removeAcls(Set<Acl> acls, Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.removeAcls(Set<Acl>, Resource)");
}
boolean ret = false;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.removeAcls(acls, resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.removeAcls(Set<Acl>, Resource)");
}
return ret;
}
Example #10
| Source File: KafkaAdminClientTest.java From common-kafka with Apache License 2.0 | 5 votes |
|
@Test(expected = AdminOperationException.class)
public void addAcls_zkException() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "user");
Resource resource = Resource.fromString(Topic.name() + Resource.Separator() + "topic");
Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
failureClient.addAcls(readAcl, resource);
}
Example #11
| Source File: KafkaAdminClientTest.java From common-kafka with Apache License 2.0 | 5 votes |
|
@Test(expected = AdminOperationException.class)
public void removeAcls_zkException() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "user");
Resource resource = Resource.fromString(Topic.name() + Resource.Separator() + "topic");
Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
failureClient.removeAcls(readAcl, resource);
}
Example #12
| Source File: KafkaAdminClientTest.java From common-kafka with Apache License 2.0 | 5 votes |
|
@Test
public void removeAcls() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
Resource topic1 = Resource.fromString(Topic.name() + Resource.Separator() + "topic1");
Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
client.addAcls(readAcl, topic1);
assertThat(client.getAcls(topic1), is(readAcl));
client.removeAcls(readAcl, topic1);
assertThat(client.getAcls(topic1), is(empty()));
}
Example #13
| Source File: KafkaAdminClientTest.java From common-kafka with Apache License 2.0 | 5 votes |
|
@Test (expected = IllegalArgumentException.class)
public void removeAcls_nullResource() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
client.removeAcls(readAcl, null);
}
Example #14
| Source File: KeycloakRBACAuthorizer.java From strimzi-kafka-oauth with Apache License 2.0 | 5 votes |
|
@Override
public void addAcls(Set<Acl> acls, Resource resource) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
super.addAcls(acls, resource);
}
Example #15
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
public Map<Resource, scala.collection.immutable.Set<Acl>> getAcls(KafkaPrincipal principal) {
if (principal.getPrincipalType().toLowerCase().equals("group")) {
List<String> roles = getRolesforGroup(principal.getName());
return getAclsForRoles(roles);
} else {
LOG.info("Did not recognize Principal type: " + principal.getPrincipalType() + ". Returning Acls for all principals.");
return getAcls();
}
}
Example #16
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private TSentryPrivilege toTSentryPrivilege(Acl acl, Resource resource) {
final List<Authorizable> authorizables = ConvertUtil.convertResourceToAuthorizable(acl.host(), resource);
final List<TAuthorizable> tAuthorizables = new ArrayList<>();
for (Authorizable authorizable : authorizables) {
tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
}
TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(COMPONENT_NAME, instanceName, tAuthorizables, acl.operation().name());
return tSentryPrivilege;
}
Example #17
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private java.util.Map<Resource, scala.collection.immutable.Set<Acl>> rolePrivilegesToResourceAcls(java.util.Map<String, scala.collection.immutable.Set<TSentryPrivilege>> rolePrivilegesMap) {
final java.util.Map<Resource, scala.collection.immutable.Set<Acl>> resourceAclsMap = new HashMap<>();
for (String role : rolePrivilegesMap.keySet()) {
scala.collection.immutable.Set<TSentryPrivilege> privileges = rolePrivilegesMap.get(role);
final Iterator<TSentryPrivilege> iterator = privileges.iterator();
while (iterator.hasNext()) {
TSentryPrivilege privilege = iterator.next();
final List<TAuthorizable> authorizables = privilege.getAuthorizables();
String host = null;
String operation = privilege.getAction();
for (TAuthorizable tAuthorizable : authorizables) {
if (tAuthorizable.getType().equals(KafkaAuthorizable.AuthorizableType.HOST.name())) {
host = tAuthorizable.getName();
} else {
Resource resource = new Resource(ResourceType$.MODULE$.fromString(tAuthorizable.getType()), tAuthorizable.getName());
if (operation.equals("*")) {
operation = "All";
}
Acl acl = new Acl(new KafkaPrincipal("role", role), Allow$.MODULE$, host, Operation$.MODULE$.fromString(operation));
Set<Acl> newAclsJava = new HashSet<Acl>();
newAclsJava.add(acl);
addExistingAclsForResource(resourceAclsMap, resource, newAclsJava);
final scala.collection.mutable.Set<Acl> aclScala = JavaConversions.asScalaSet(newAclsJava);
resourceAclsMap.put(resource, aclScala.<Acl>toSet());
}
}
}
}
return resourceAclsMap;
}
Example #18
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private void addExistingAclsForResource(java.util.Map<Resource, scala.collection.immutable.Set<Acl>> resourceAclsMap, Resource resource, java.util.Set<Acl> newAclsJava) {
final scala.collection.immutable.Set<Acl> existingAcls = resourceAclsMap.get(resource);
if (existingAcls != null) {
final Iterator<Acl> aclsIter = existingAcls.iterator();
while (aclsIter.hasNext()) {
Acl curAcl = aclsIter.next();
newAclsJava.add(curAcl);
}
}
}
Example #19
| Source File: KafkaAuthBinding.java From incubator-sentry with Apache License 2.0 | 5 votes |
|
private void verifyAcls(scala.collection.immutable.Set<Acl> acls) {
final Iterator<Acl> iterator = acls.iterator();
while (iterator.hasNext()) {
final Acl acl = iterator.next();
assert acl.principal().getPrincipalType().toLowerCase().equals("role") : "Only Acls with KafkaPrincipal of type \"role;\" is supported.";
assert acl.permissionType().name().equals(Allow.name()) : "Only Acls with Permission of type \"Allow\" is supported.";
}
}
Example #20
| Source File: KafkaAdminClientTest.java From common-kafka with Apache License 2.0 | 5 votes |
|
@Test
public void addAcls() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
Resource topic1 = Resource.fromString(Topic.name() + Resource.Separator() + "topic1");
Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
client.addAcls(readAcl, topic1);
assertThat(client.getAcls(topic1), is(readAcl));
}
Example #21
| Source File: KeycloakRBACAuthorizer.java From strimzi-kafka-oauth with Apache License 2.0 | 5 votes |
|
@Override
public boolean removeAcls(Set<Acl> aclsTobeRemoved, Resource resource) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
return super.removeAcls(aclsTobeRemoved, resource);
}
Example #22
| Source File: KeycloakRBACAuthorizer.java From strimzi-kafka-oauth with Apache License 2.0 | 5 votes |
|
@Override
public Set<Acl> getAcls(Resource resource) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
return super.getAcls(resource);
}
Example #23
| Source File: KeycloakRBACAuthorizer.java From strimzi-kafka-oauth with Apache License 2.0 | 5 votes |
|
@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
return super.getAcls(principal);
}
Example #24
| Source File: KeycloakRBACAuthorizer.java From strimzi-kafka-oauth with Apache License 2.0 | 5 votes |
|
@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
return super.getAcls();
}
Example #25
| Source File: EmbeddedSingleNodeKafkaCluster.java From ksql-fork-with-deep-learning-function with Apache License 2.0 | 5 votes |
|
/**
* Writes the supplied ACL information to ZK, where it will be picked up by the brokes authorizer.
*
* @param username the who.
* @param permission the allow|deny.
* @param resource the thing
* @param ops the what.
*/
public void addUserAcl(final String username,
final AclPermissionType permission,
final Resource resource,
final Set<AclOperation> ops) {
final KafkaPrincipal principal = new KafkaPrincipal("User", username);
final PermissionType scalaPermission = PermissionType$.MODULE$.fromJava(permission);
final Set<Acl> javaAcls = ops.stream()
.map(Operation$.MODULE$::fromJava)
.map(op -> new Acl(principal, scalaPermission, "*", op))
.collect(Collectors.toSet());
final scala.collection.immutable.Set<Acl> scalaAcls =
JavaConversions.asScalaSet(javaAcls).toSet();
kafka.security.auth.ResourceType scalaResType =
ResourceType$.MODULE$.fromJava(resource.resourceType());
final kafka.security.auth.Resource scalaResource =
new kafka.security.auth.Resource(scalaResType, resource.name());
authorizer.addAcls(scalaAcls, scalaResource);
addedAcls.add(scalaResource);
}
Example #26
| Source File: KafkaAdminClient.java From common-kafka with Apache License 2.0 | 5 votes |
|
/**
* Returns all {@link Acl}s defined in the Kafka cluster
*
* @return unmodifiable map of all {@link Acl}s defined in the Kafka cluster
*
* @throws AdminOperationException
* if there is an issue reading the {@link Acl}s
*/
public Map<Resource, Set<Acl>> getAcls() {
LOG.debug("Fetching all ACLs");
try {
return convertKafkaAclMap(getAuthorizer().getAcls());
} catch (ZkException | ZooKeeperClientException e) {
throw new AdminOperationException("Unable to retrieve all ACLs", e);
}
}
Example #27
| Source File: KafkaAdminClient.java From common-kafka with Apache License 2.0 | 5 votes |
|
/**
* Returns all {@link Acl}s associated to the given {@link KafkaPrincipal}
*
* @param principal
* the {@link KafkaPrincipal} to look up {@link Acl}s for
* @return unmodifiable map of all {@link Acl}s associated to the given {@link KafkaPrincipal}
* @throws IllegalArgumentException
* if principal is {@code null}
* @throws AdminOperationException
* if there is an issue reading the {@link Acl}s
*/
public Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
if (principal == null)
throw new IllegalArgumentException("principal cannot be null");
LOG.debug("Fetching all ACLs for principal [{}]", principal);
try {
return convertKafkaAclMap(getAuthorizer().getAcls(principal));
} catch (ZkException | ZooKeeperClientException e) {
throw new AdminOperationException("Unable to retrieve ACLs for principal: " + principal, e);
}
}
Example #28
| Source File: KafkaAdminClient.java From common-kafka with Apache License 2.0 | 5 votes |
|
/**
* Returns all {@link Acl}s associated to the given {@link Resource}
*
* @param resource
* the {@link Resource} to look up {@link Acl}s for
* @return unmodifiable set of all {@link Acl}s associated to the given {@link Resource}
* @throws IllegalArgumentException
* if resource is {@code null}
* @throws AdminOperationException
* if there is an issue reading the {@link Acl}s
*/
public Set<Acl> getAcls(Resource resource) {
if (resource == null)
throw new IllegalArgumentException("resource cannot be null");
LOG.debug("Fetching all ACLs for resource [{}]", resource);
try {
return Collections.unmodifiableSet(convertToJavaSet(getAuthorizer().getAcls(resource).iterator()));
} catch (ZkException | ZooKeeperClientException e) {
throw new AdminOperationException("Unable to retrieve ACLs for resource: " + resource, e);
}
}
Example #29
| Source File: KafkaAdminClientTest.java From common-kafka with Apache License 2.0 | 5 votes |
|
@Test(expected = UnsupportedOperationException.class)
public void getAcls_withResource_immutable() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "user");
Resource topic = Resource.fromString(Topic.name() + Resource.Separator() + "topic");
Set<Acl> userAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
client.addAcls(userAcl, topic);
client.getAcls(topic).clear();
}
Example #30
| Source File: KafkaAdminClientTest.java From common-kafka with Apache License 2.0 | 5 votes |
|
@Test
public void getAcls_withResource() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
Resource topic1 = Resource.fromString(Topic.name() + Resource.Separator() + "topic1");
Resource topic2 = Resource.fromString(Topic.name() + Resource.Separator() + "topic2");
Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
client.addAcls(readAcl, topic1);
client.addAcls(readAcl, topic2);
assertThat(client.getAcls(topic1), is(readAcl));
}
