kafka.security.auth.Acl Java Examples

@Override
public void addAcls(Set<Acl> acls, Resource resource) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerKafkaAuthorizer.addAcls(Set<Acl>, Resource)");
	}

	try {
		activatePluginClassLoader();

		rangerKakfaAuthorizerImpl.addAcls(acls, resource);
	} finally {
		deactivatePluginClassLoader();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKafkaAuthorizer.addAcls(Set<Acl>, Resource)");
	}
}
 

public boolean removeAcls(scala.collection.immutable.Set<Acl> acls, final Resource resource) {
    verifyAcls(acls);
    LOG.info("Removing Acl: acl->" + acls + " resource->" + resource);
    final Iterator<Acl> iterator = acls.iterator();
    while (iterator.hasNext()) {
        final Acl acl = iterator.next();
        final String role = getRole(acl);
        try {
            execute(new Command<Void>() {
                @Override
                public Void run(SentryGenericServiceClient client) throws Exception {
                    client.dropPrivilege(
                            requestorName, role, toTSentryPrivilege(acl, resource));
                    return null;
                }
            });
        } catch (KafkaException kex) {
            LOG.error("Failed to remove acls.", kex);
            return false;
        }
    }

    return true;
}
 

public void addAcls(scala.collection.immutable.Set<Acl> acls, final Resource resource) {
    verifyAcls(acls);
    LOG.info("Adding Acl: acl->" + acls + " resource->" + resource);

    final Iterator<Acl> iterator = acls.iterator();
    while (iterator.hasNext()) {
        final Acl acl = iterator.next();
        final String role = getRole(acl);
        if (!roleExists(role)) {
            throw new KafkaException("Can not add Acl for non-existent Role: " + role);
        }
        execute(new Command<Void>() {
            @Override
            public Void run(SentryGenericServiceClient client) throws Exception {
                client.grantPrivilege(
                    requestorName, role, COMPONENT_NAME, toTSentryPrivilege(acl, resource));
                return null;
            }
        });
    }
}
 

@Test
public void testAddAclsForNonExistentRole() {
  sentryKafkaAuthorizer = new SentryKafkaAuthorizer();
  java.util.Map<String, String> configs = new HashMap<>();
  configs.put(KafkaAuthConf.SENTRY_KAFKA_SITE_URL, "file://" + sentrySitePath.getAbsolutePath());
  sentryKafkaAuthorizer.configure(configs);

  final String role1 = "role1";
  Set<Acl> acls = new HashSet<>();
  final Acl acl = new Acl(new KafkaPrincipal("role", role1),
      Allow$.MODULE$,
      "127.0.0.1",
      Operation$.MODULE$.fromString("READ"));
  acls.add(acl);
  scala.collection.immutable.Set<Acl> aclsScala = scala.collection.JavaConversions.asScalaSet(acls).toSet();
  Resource resource = new Resource(ResourceType$.MODULE$.fromString("TOPIC"), "test-topic");
  try {
    sentryKafkaAuthorizer.addAcls(aclsScala, resource);
  } catch (Exception ex) {
    assertCausedMessage(ex, "Can not add Acl for non-existent Role: role1");
  }
}
 

@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerKafkaAuthorizer.getAcls()");
	}

	scala.collection.immutable.Map<Resource, Set<Acl>> ret = null;

	try {
		activatePluginClassLoader();

		ret = rangerKakfaAuthorizerImpl.getAcls();
	} finally {
		deactivatePluginClassLoader();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKafkaAuthorizer.getAcls()");
	}

	return ret;
}
 

@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerKafkaAuthorizer.getAcls(KafkaPrincipal)");
	}

	scala.collection.immutable.Map<Resource, Set<Acl>> ret = null;

	try {
		activatePluginClassLoader();

		ret = rangerKakfaAuthorizerImpl.getAcls(principal);
	} finally {
		deactivatePluginClassLoader();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKafkaAuthorizer.getAcls(KafkaPrincipal)");
	}

	return ret;
}
 

@Override
public Set<Acl> getAcls(Resource resource) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerKafkaAuthorizer.getAcls(Resource)");
	}
	
	Set<Acl> ret = null;
	
	try {
		activatePluginClassLoader();

		ret = rangerKakfaAuthorizerImpl.getAcls(resource);
	} finally {
		deactivatePluginClassLoader();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKafkaAuthorizer.getAcls(Resource)");
	}

	return ret;
}
 

@Test
public void getAcls() {
    KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
    Resource topic1 = Resource.fromString(Topic.name() + Resource.Separator() + "topic1");
    Resource topic2 = Resource.fromString(Topic.name() + Resource.Separator() + "topic2");

    Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));

    client.addAcls(readAcl, topic1);
    client.addAcls(readAcl, topic2);

    Map<Resource, Set<Acl>> allAcls = new HashMap<>();
    allAcls.put(topic1, readAcl);
    allAcls.put(topic2, readAcl);

    assertThat(client.getAcls(), is(allAcls));
}
 

@Override
public boolean removeAcls(Set<Acl> acls, Resource resource) {
	if(LOG.isDebugEnabled()) {
		LOG.debug("==> RangerKafkaAuthorizer.removeAcls(Set<Acl>, Resource)");
	}
	boolean ret = false;
	try {
		activatePluginClassLoader();

		ret = rangerKakfaAuthorizerImpl.removeAcls(acls, resource);
	} finally {
		deactivatePluginClassLoader();
	}

	if(LOG.isDebugEnabled()) {
		LOG.debug("<== RangerKafkaAuthorizer.removeAcls(Set<Acl>, Resource)");
	}
	
	return ret;
}
 

@Test(expected = AdminOperationException.class)
public void addAcls_zkException() {
    KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "user");
    Resource resource = Resource.fromString(Topic.name() + Resource.Separator() + "topic");
    Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));

    failureClient.addAcls(readAcl, resource);
}
 

@Test(expected = AdminOperationException.class)
public void removeAcls_zkException() {
    KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "user");
    Resource resource = Resource.fromString(Topic.name() + Resource.Separator() + "topic");
    Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));

    failureClient.removeAcls(readAcl, resource);
}
 

@Test
public void removeAcls() {
    KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
    Resource topic1 = Resource.fromString(Topic.name() + Resource.Separator() + "topic1");
    Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));

    client.addAcls(readAcl, topic1);

    assertThat(client.getAcls(topic1), is(readAcl));

    client.removeAcls(readAcl, topic1);

    assertThat(client.getAcls(topic1), is(empty()));
}
 

@Test (expected = IllegalArgumentException.class)
public void removeAcls_nullResource() {
    KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
    Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));

    client.removeAcls(readAcl, null);
}
 

@Override
public void addAcls(Set<Acl> acls, Resource resource) {
    if (!delegateToKafkaACL) {
        throw new RuntimeException("Simple ACL delegation not enabled");
    }
    super.addAcls(acls, resource);
}
 

public Map<Resource, scala.collection.immutable.Set<Acl>> getAcls(KafkaPrincipal principal) {
    if (principal.getPrincipalType().toLowerCase().equals("group")) {
        List<String> roles = getRolesforGroup(principal.getName());
        return getAclsForRoles(roles);
    } else {
        LOG.info("Did not recognize Principal type: " + principal.getPrincipalType() + ". Returning Acls for all principals.");
        return getAcls();
    }
}
 

private TSentryPrivilege toTSentryPrivilege(Acl acl, Resource resource) {
    final List<Authorizable> authorizables = ConvertUtil.convertResourceToAuthorizable(acl.host(), resource);
    final List<TAuthorizable> tAuthorizables = new ArrayList<>();
    for (Authorizable authorizable : authorizables) {
        tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
    }
    TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(COMPONENT_NAME, instanceName, tAuthorizables, acl.operation().name());
    return tSentryPrivilege;
}
 

private java.util.Map<Resource, scala.collection.immutable.Set<Acl>> rolePrivilegesToResourceAcls(java.util.Map<String, scala.collection.immutable.Set<TSentryPrivilege>> rolePrivilegesMap) {
    final java.util.Map<Resource, scala.collection.immutable.Set<Acl>> resourceAclsMap = new HashMap<>();
    for (String role : rolePrivilegesMap.keySet()) {
        scala.collection.immutable.Set<TSentryPrivilege> privileges = rolePrivilegesMap.get(role);
        final Iterator<TSentryPrivilege> iterator = privileges.iterator();
        while (iterator.hasNext()) {
            TSentryPrivilege privilege = iterator.next();
            final List<TAuthorizable> authorizables = privilege.getAuthorizables();
            String host = null;
            String operation = privilege.getAction();
            for (TAuthorizable tAuthorizable : authorizables) {
                if (tAuthorizable.getType().equals(KafkaAuthorizable.AuthorizableType.HOST.name())) {
                    host = tAuthorizable.getName();
                } else {
                    Resource resource = new Resource(ResourceType$.MODULE$.fromString(tAuthorizable.getType()), tAuthorizable.getName());
                    if (operation.equals("*")) {
                        operation = "All";
                    }
                    Acl acl = new Acl(new KafkaPrincipal("role", role), Allow$.MODULE$, host, Operation$.MODULE$.fromString(operation));
                    Set<Acl> newAclsJava = new HashSet<Acl>();
                    newAclsJava.add(acl);
                    addExistingAclsForResource(resourceAclsMap, resource, newAclsJava);
                    final scala.collection.mutable.Set<Acl> aclScala = JavaConversions.asScalaSet(newAclsJava);
                    resourceAclsMap.put(resource, aclScala.<Acl>toSet());
                }
            }
        }
    }

    return resourceAclsMap;
}
 

private void addExistingAclsForResource(java.util.Map<Resource, scala.collection.immutable.Set<Acl>> resourceAclsMap, Resource resource, java.util.Set<Acl> newAclsJava) {
    final scala.collection.immutable.Set<Acl> existingAcls = resourceAclsMap.get(resource);
    if (existingAcls != null) {
        final Iterator<Acl> aclsIter = existingAcls.iterator();
        while (aclsIter.hasNext()) {
            Acl curAcl = aclsIter.next();
            newAclsJava.add(curAcl);
        }
    }
}
 

private void verifyAcls(scala.collection.immutable.Set<Acl> acls) {
    final Iterator<Acl> iterator = acls.iterator();
    while (iterator.hasNext()) {
        final Acl acl = iterator.next();
        assert acl.principal().getPrincipalType().toLowerCase().equals("role") : "Only Acls with KafkaPrincipal of type \"role;\" is supported.";
        assert acl.permissionType().name().equals(Allow.name()) : "Only Acls with Permission of type \"Allow\" is supported.";
    }
}
 

@Test
public void addAcls() {
    KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
    Resource topic1 = Resource.fromString(Topic.name() + Resource.Separator() + "topic1");
    Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));

    client.addAcls(readAcl, topic1);

    assertThat(client.getAcls(topic1), is(readAcl));
}
 

@Override
public boolean removeAcls(Set<Acl> aclsTobeRemoved, Resource resource) {
    if (!delegateToKafkaACL) {
        throw new RuntimeException("Simple ACL delegation not enabled");
    }
    return super.removeAcls(aclsTobeRemoved, resource);
}
 

@Override
public Set<Acl> getAcls(Resource resource) {
    if (!delegateToKafkaACL) {
        throw new RuntimeException("Simple ACL delegation not enabled");
    }
    return super.getAcls(resource);
}
 

@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
    if (!delegateToKafkaACL) {
        throw new RuntimeException("Simple ACL delegation not enabled");
    }
    return super.getAcls(principal);
}
 

@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
    if (!delegateToKafkaACL) {
        throw new RuntimeException("Simple ACL delegation not enabled");
    }
    return super.getAcls();
}
 

/**
 * Writes the supplied ACL information to ZK, where it will be picked up by the brokes authorizer.
 *
 * @param username    the who.
 * @param permission  the allow|deny.
 * @param resource    the thing
 * @param ops         the what.
 */
public void addUserAcl(final String username,
                       final AclPermissionType permission,
                       final Resource resource,
                       final Set<AclOperation> ops) {

  final KafkaPrincipal principal = new KafkaPrincipal("User", username);
  final PermissionType scalaPermission = PermissionType$.MODULE$.fromJava(permission);

  final Set<Acl> javaAcls = ops.stream()
      .map(Operation$.MODULE$::fromJava)
      .map(op -> new Acl(principal, scalaPermission, "*", op))
      .collect(Collectors.toSet());

  final scala.collection.immutable.Set<Acl> scalaAcls =
      JavaConversions.asScalaSet(javaAcls).toSet();

  kafka.security.auth.ResourceType scalaResType =
      ResourceType$.MODULE$.fromJava(resource.resourceType());

  final kafka.security.auth.Resource scalaResource =
      new kafka.security.auth.Resource(scalaResType, resource.name());

  authorizer.addAcls(scalaAcls, scalaResource);

  addedAcls.add(scalaResource);
}
 

/**
 * Returns all {@link Acl}s defined in the Kafka cluster
 *
 * @return unmodifiable map of all {@link Acl}s defined in the Kafka cluster
 *
 * @throws AdminOperationException
 *      if there is an issue reading the {@link Acl}s
 */
public Map<Resource, Set<Acl>> getAcls() {
    LOG.debug("Fetching all ACLs");
    try {
        return convertKafkaAclMap(getAuthorizer().getAcls());
    } catch (ZkException | ZooKeeperClientException e) {
        throw new AdminOperationException("Unable to retrieve all ACLs", e);
    }
}
 

/**
 * Returns all {@link Acl}s associated to the given {@link KafkaPrincipal}
 *
 * @param principal
 *      the {@link KafkaPrincipal} to look up {@link Acl}s for
 * @return unmodifiable map of all {@link Acl}s associated to the given {@link KafkaPrincipal}
 * @throws IllegalArgumentException
 *      if principal is {@code null}
 * @throws AdminOperationException
 *      if there is an issue reading the {@link Acl}s
 */
public Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
    if (principal == null)
        throw new IllegalArgumentException("principal cannot be null");

    LOG.debug("Fetching all ACLs for principal [{}]", principal);

    try {
        return convertKafkaAclMap(getAuthorizer().getAcls(principal));
    } catch (ZkException | ZooKeeperClientException e) {
        throw new AdminOperationException("Unable to retrieve ACLs for principal: " + principal, e);
    }
}
 

/**
 * Returns all {@link Acl}s associated to the given {@link Resource}
 *
 * @param resource
 *      the {@link Resource} to look up {@link Acl}s for
 * @return unmodifiable set of all {@link Acl}s associated to the given {@link Resource}
 * @throws IllegalArgumentException
 *      if resource is {@code null}
 * @throws AdminOperationException
 *      if there is an issue reading the {@link Acl}s
 */
public Set<Acl> getAcls(Resource resource) {
    if (resource == null)
        throw new IllegalArgumentException("resource cannot be null");

    LOG.debug("Fetching all ACLs for resource [{}]", resource);

    try {
        return Collections.unmodifiableSet(convertToJavaSet(getAuthorizer().getAcls(resource).iterator()));
    } catch (ZkException | ZooKeeperClientException e) {
        throw new AdminOperationException("Unable to retrieve ACLs for resource: " + resource, e);
    }
}
 

@Test(expected = UnsupportedOperationException.class)
public void getAcls_withResource_immutable() {
    KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "user");
    Resource topic = Resource.fromString(Topic.name() + Resource.Separator() + "topic");

    Set<Acl> userAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
    client.addAcls(userAcl, topic);
    client.getAcls(topic).clear();
}
 

@Test
public void getAcls_withResource() {
    KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
    Resource topic1 = Resource.fromString(Topic.name() + Resource.Separator() + "topic1");
    Resource topic2 = Resource.fromString(Topic.name() + Resource.Separator() + "topic2");

    Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));

    client.addAcls(readAcl, topic1);
    client.addAcls(readAcl, topic2);

    assertThat(client.getAcls(topic1), is(readAcl));
}