Java源码示例:kafka.security.auth.Resource
示例1
@Test
public void getAcls() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
Resource topic1 = Resource.fromString(Topic.name() + Resource.Separator() + "topic1");
Resource topic2 = Resource.fromString(Topic.name() + Resource.Separator() + "topic2");
Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
client.addAcls(readAcl, topic1);
client.addAcls(readAcl, topic2);
Map<Resource, Set<Acl>> allAcls = new HashMap<>();
allAcls.put(topic1, readAcl);
allAcls.put(topic2, readAcl);
assertThat(client.getAcls(), is(allAcls));
}
示例2
@Override
public boolean authorize(Session session, Operation operation,Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug(String.format("==> RangerKafkaAuthorizer.authorize(Session=%s, Operation=%s, Resource=%s)", session, operation, resource));
}
boolean ret = false;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.authorize(session, operation, resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.authorize: " + ret);
}
return ret;
}
示例3
@Override
public void addAcls(Set<Acl> acls, Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.addAcls(Set<Acl>, Resource)");
}
try {
activatePluginClassLoader();
rangerKakfaAuthorizerImpl.addAcls(acls, resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.addAcls(Set<Acl>, Resource)");
}
}
示例4
@Override
public boolean removeAcls(Set<Acl> acls, Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.removeAcls(Set<Acl>, Resource)");
}
boolean ret = false;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.removeAcls(acls, resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.removeAcls(Set<Acl>, Resource)");
}
return ret;
}
示例5
@Override
public boolean removeAcls(Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.removeAcls(Resource)");
}
boolean ret = false;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.removeAcls(resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.removeAcls(Resource)");
}
return ret;
}
示例6
@Override
public Set<Acl> getAcls(Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.getAcls(Resource)");
}
Set<Acl> ret = null;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.getAcls(resource);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.getAcls(Resource)");
}
return ret;
}
示例7
@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.getAcls(KafkaPrincipal)");
}
scala.collection.immutable.Map<Resource, Set<Acl>> ret = null;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.getAcls(principal);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.getAcls(KafkaPrincipal)");
}
return ret;
}
示例8
@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.getAcls()");
}
scala.collection.immutable.Map<Resource, Set<Acl>> ret = null;
try {
activatePluginClassLoader();
ret = rangerKakfaAuthorizerImpl.getAcls();
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.getAcls()");
}
return ret;
}
示例9
@Test
public void testAddAclsForNonExistentRole() {
sentryKafkaAuthorizer = new SentryKafkaAuthorizer();
java.util.Map<String, String> configs = new HashMap<>();
configs.put(KafkaAuthConf.SENTRY_KAFKA_SITE_URL, "file://" + sentrySitePath.getAbsolutePath());
sentryKafkaAuthorizer.configure(configs);
final String role1 = "role1";
Set<Acl> acls = new HashSet<>();
final Acl acl = new Acl(new KafkaPrincipal("role", role1),
Allow$.MODULE$,
"127.0.0.1",
Operation$.MODULE$.fromString("READ"));
acls.add(acl);
scala.collection.immutable.Set<Acl> aclsScala = scala.collection.JavaConversions.asScalaSet(acls).toSet();
Resource resource = new Resource(ResourceType$.MODULE$.fromString("TOPIC"), "test-topic");
try {
sentryKafkaAuthorizer.addAcls(aclsScala, resource);
} catch (Exception ex) {
assertCausedMessage(ex, "Can not add Acl for non-existent Role: role1");
}
}
示例10
public static List<Authorizable> convertResourceToAuthorizable(String hostname,
final Resource resource) {
List<Authorizable> authorizables = Lists.newArrayList();
authorizables.add(new Host(hostname));
authorizables.add(new Authorizable() {
@Override
public String getTypeName() {
final String resourceTypeName = resource.resourceType().name();
// Kafka's GROUP resource is referred as CONSUMERGROUP within Sentry.
if (resourceTypeName.equalsIgnoreCase("group")) {
return KafkaAuthorizable.AuthorizableType.CONSUMERGROUP.name();
} else {
return resourceTypeName;
}
}
@Override
public String getName() {
return resource.name();
}
});
return authorizables;
}
示例11
public void addAcls(scala.collection.immutable.Set<Acl> acls, final Resource resource) {
verifyAcls(acls);
LOG.info("Adding Acl: acl->" + acls + " resource->" + resource);
final Iterator<Acl> iterator = acls.iterator();
while (iterator.hasNext()) {
final Acl acl = iterator.next();
final String role = getRole(acl);
if (!roleExists(role)) {
throw new KafkaException("Can not add Acl for non-existent Role: " + role);
}
execute(new Command<Void>() {
@Override
public Void run(SentryGenericServiceClient client) throws Exception {
client.grantPrivilege(
requestorName, role, COMPONENT_NAME, toTSentryPrivilege(acl, resource));
return null;
}
});
}
}
示例12
public boolean removeAcls(scala.collection.immutable.Set<Acl> acls, final Resource resource) {
verifyAcls(acls);
LOG.info("Removing Acl: acl->" + acls + " resource->" + resource);
final Iterator<Acl> iterator = acls.iterator();
while (iterator.hasNext()) {
final Acl acl = iterator.next();
final String role = getRole(acl);
try {
execute(new Command<Void>() {
@Override
public Void run(SentryGenericServiceClient client) throws Exception {
client.dropPrivilege(
requestorName, role, toTSentryPrivilege(acl, resource));
return null;
}
});
} catch (KafkaException kex) {
LOG.error("Failed to remove acls.", kex);
return false;
}
}
return true;
}
示例13
public boolean removeAcls(final Resource resource) {
LOG.info("Removing Acls for Resource: resource->" + resource);
List<String> roles = getAllRoles();
final List<TSentryPrivilege> tSentryPrivileges = getAllPrivileges(roles);
try {
execute(new Command<Void>() {
@Override
public Void run(SentryGenericServiceClient client) throws Exception {
for (TSentryPrivilege tSentryPrivilege : tSentryPrivileges) {
if (isPrivilegeForResource(tSentryPrivilege, resource)) {
client.dropPrivilege(
requestorName, COMPONENT_NAME, tSentryPrivilege);
}
}
return null;
}
});
} catch (KafkaException kex) {
LOG.error("Failed to remove acls.", kex);
return false;
}
return true;
}
示例14
@Test
public void testCluster() {
String hostname = "localhost";
String clusterName = Resource$.MODULE$.ClusterResourceName();
Resource clusterResource = new Resource(ResourceType$.MODULE$.fromString("cluster"), clusterName);
List<Authorizable> authorizables = ConvertUtil.convertResourceToAuthorizable(hostname, clusterResource);
for (Authorizable auth : authorizables) {
if (auth.getTypeName().equalsIgnoreCase(KafkaAuthorizable.AuthorizableType.CLUSTER.name())) {
Assert.assertEquals(auth.getName(), clusterName);
} else if (auth.getTypeName().equalsIgnoreCase(KafkaAuthorizable.AuthorizableType.HOST.name())) {
Assert.assertEquals(auth.getName(), hostname);
} else {
Assert.fail("Unexpected type found: " + auth.getTypeName());
}
}
Assert.assertEquals(authorizables.size(), 2);
}
示例15
@Test
public void testTopic() {
String hostname = "localhost";
String topicName = "t1";
Resource topicResource = new Resource(ResourceType$.MODULE$.fromString("topic"), topicName);
List<Authorizable> authorizables = ConvertUtil.convertResourceToAuthorizable(hostname, topicResource);
for (Authorizable auth : authorizables) {
if (auth.getTypeName().equalsIgnoreCase(KafkaAuthorizable.AuthorizableType.TOPIC.name())) {
Assert.assertEquals(auth.getName(), topicName);
} else if (auth.getTypeName().equalsIgnoreCase(KafkaAuthorizable.AuthorizableType.HOST.name())) {
Assert.assertEquals(auth.getName(), hostname);
} else {
Assert.fail("Unexpected type found: " + auth.getTypeName());
}
}
Assert.assertEquals(authorizables.size(), 2);
}
示例16
@Test
public void testConsumerGroup() {
String hostname = "localhost";
String consumerGroup = "g1";
Resource consumerGroupResource = new Resource(ResourceType$.MODULE$.fromString("group"), consumerGroup);
List<Authorizable> authorizables = ConvertUtil.convertResourceToAuthorizable(hostname, consumerGroupResource);
for (Authorizable auth : authorizables) {
if (auth.getTypeName().equalsIgnoreCase(KafkaAuthorizable.AuthorizableType.CONSUMERGROUP.name())) {
Assert.assertEquals(auth.getName(),consumerGroup);
} else if (auth.getTypeName().equalsIgnoreCase(KafkaAuthorizable.AuthorizableType.HOST.name())) {
Assert.assertEquals(auth.getName(),hostname);
} else {
Assert.fail("Unexpected type found: " + auth.getTypeName());
}
}
Assert.assertEquals(authorizables.size(), 2);
}
示例17
boolean delegateIfRequested(RequestChannel.Session session, Operation operation, Resource resource, JsonNode authz) {
String nonAuthMessageFragment = session.principal() instanceof JwtKafkaPrincipal ? "" : " non-oauth";
if (delegateToKafkaACL) {
boolean granted = super.authorize(session, operation, resource);
boolean grantLogOn = granted && GRANT_LOG.isDebugEnabled();
boolean denyLogOn = !granted && DENY_LOG.isDebugEnabled();
if (grantLogOn || denyLogOn) {
String status = granted ? "GRANTED" : "DENIED";
String message = "Authorization " + status + " by ACL -" + nonAuthMessageFragment + " user: " + session.principal() + ", operation: " + operation + ", resource: " + resource;
if (grantLogOn) {
GRANT_LOG.debug(message);
} else if (denyLogOn) {
DENY_LOG.debug(message);
}
}
return granted;
}
if (DENY_LOG.isDebugEnabled()) {
DENY_LOG.debug("Authorization DENIED -" + nonAuthMessageFragment + " user: " + session.principal() +
", cluster: " + clusterName + ", operation: " + operation + ", resource: " + resource + ",\n permissions: " + authz);
}
return false;
}
示例18
@Override
public void addAcls(Set<Acl> acls, Resource resource) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
super.addAcls(acls, resource);
}
示例19
@Override
public boolean removeAcls(Set<Acl> aclsTobeRemoved, Resource resource) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
return super.removeAcls(aclsTobeRemoved, resource);
}
示例20
@Override
public boolean removeAcls(Resource resource) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
return super.removeAcls(resource);
}
示例21
@Override
public Set<Acl> getAcls(Resource resource) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
return super.getAcls(resource);
}
示例22
@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
return super.getAcls(principal);
}
示例23
@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
if (!delegateToKafkaACL) {
throw new RuntimeException("Simple ACL delegation not enabled");
}
return super.getAcls();
}
示例24
/**
* Returns all {@link Acl}s defined in the Kafka cluster
*
* @return unmodifiable map of all {@link Acl}s defined in the Kafka cluster
*
* @throws AdminOperationException
* if there is an issue reading the {@link Acl}s
*/
public Map<Resource, Set<Acl>> getAcls() {
LOG.debug("Fetching all ACLs");
try {
return convertKafkaAclMap(getAuthorizer().getAcls());
} catch (ZkException | ZooKeeperClientException e) {
throw new AdminOperationException("Unable to retrieve all ACLs", e);
}
}
示例25
/**
* Returns all {@link Acl}s associated to the given {@link KafkaPrincipal}
*
* @param principal
* the {@link KafkaPrincipal} to look up {@link Acl}s for
* @return unmodifiable map of all {@link Acl}s associated to the given {@link KafkaPrincipal}
* @throws IllegalArgumentException
* if principal is {@code null}
* @throws AdminOperationException
* if there is an issue reading the {@link Acl}s
*/
public Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
if (principal == null)
throw new IllegalArgumentException("principal cannot be null");
LOG.debug("Fetching all ACLs for principal [{}]", principal);
try {
return convertKafkaAclMap(getAuthorizer().getAcls(principal));
} catch (ZkException | ZooKeeperClientException e) {
throw new AdminOperationException("Unable to retrieve ACLs for principal: " + principal, e);
}
}
示例26
/**
* Returns all {@link Acl}s associated to the given {@link Resource}
*
* @param resource
* the {@link Resource} to look up {@link Acl}s for
* @return unmodifiable set of all {@link Acl}s associated to the given {@link Resource}
* @throws IllegalArgumentException
* if resource is {@code null}
* @throws AdminOperationException
* if there is an issue reading the {@link Acl}s
*/
public Set<Acl> getAcls(Resource resource) {
if (resource == null)
throw new IllegalArgumentException("resource cannot be null");
LOG.debug("Fetching all ACLs for resource [{}]", resource);
try {
return Collections.unmodifiableSet(convertToJavaSet(getAuthorizer().getAcls(resource).iterator()));
} catch (ZkException | ZooKeeperClientException e) {
throw new AdminOperationException("Unable to retrieve ACLs for resource: " + resource, e);
}
}
示例27
/**
* Adds the given {@link Acl}s to the {@link Resource}
*
* @param acls
* the {@link Acl}s to add
* @param resource
* the {@link Resource} to add the {@link Acl}s to
* @throws IllegalArgumentException
* if acls or resource is {@code null}
* @throws AdminOperationException
* if there is an issue adding the {@link Acl}s
*/
public void addAcls(Set<Acl> acls, Resource resource) {
if (acls == null)
throw new IllegalArgumentException("acls cannot be null");
if (resource == null)
throw new IllegalArgumentException("resource cannot be null");
LOG.debug("Adding ACLs [{}] for resource [{}]", acls, resource);
try {
getAuthorizer().addAcls(toImmutableScalaSet(acls), resource);
} catch (ZkException | ZooKeeperClientException | IllegalStateException e) {
throw new AdminOperationException("Unable to add ACLs for resource: " + resource, e);
}
}
示例28
/**
* Removes the given {@link Acl}s from the {@link Resource}
*
* @param acls
* the {@link Acl}s to remove
* @param resource
* the {@link Resource} to remove the {@link Acl}s from
* @throws IllegalArgumentException
* if acls or resource is {@code null}
* @throws AdminOperationException
* if there is an issue removing the {@link Acl}s
*/
public void removeAcls(Set<Acl> acls, Resource resource) {
if (acls == null)
throw new IllegalArgumentException("acls cannot be null");
if (resource == null)
throw new IllegalArgumentException("resource cannot be null");
LOG.debug("Removing ACLs [{}] for resource [{}]", acls, resource);
try {
getAuthorizer().removeAcls(toImmutableScalaSet(acls), resource);
} catch (ZkException | ZooKeeperClientException e) {
throw new AdminOperationException("Unable to remove ACLs for resource: " + resource, e);
}
}
示例29
@Test(expected = UnsupportedOperationException.class)
public void getAcls_immutable() {
KafkaPrincipal user = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "my_user");
Resource topic = Resource.fromString(Topic.name() + Resource.Separator() + "topic");
Set<Acl> readAcl = Collections.singleton(new Acl(user, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
client.addAcls(readAcl, topic);
client.getAcls().clear();
}
示例30
@Test
public void getAcls_withKafkaPrincipal() {
KafkaPrincipal user1 = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "user1");
KafkaPrincipal user2 = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "user2");
Resource topic1 = Resource.fromString(Topic.name() + Resource.Separator() + "topic1");
Set<Acl> user1Acl = Collections.singleton(new Acl(user1, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
Set<Acl> user2Acl = Collections.singleton(new Acl(user2, Allow$.MODULE$, Acl.WildCardHost(), Read$.MODULE$));
client.addAcls(user1Acl, topic1);
client.addAcls(user2Acl, topic1);
assertThat(client.getAcls(user1), is(Collections.singletonMap(topic1, user1Acl)));
}
