@Test public void simpleAclSameUserAuthTest() { Map<String, Object> clusterConf = ConfigUtils.readStormConfig(); clusterConf.put(Config.NIMBUS_ADMINS, Arrays.asList("admin")); clusterConf.put(Config.NIMBUS_SUPERVISOR_USERS, Arrays.asList("admin")); ReqContext admin = new ReqContext(mkSubject("admin")); final Map<String, Object> empty = Collections.emptyMap(); final Map<String, Object> aAllowed = new HashMap<>(); aAllowed.put(Config.TOPOLOGY_USERS, Arrays.asList("user-a")); SimpleACLAuthorizer authorizer = new SimpleACLAuthorizer(); authorizer.prepare(clusterConf); assertTrue(authorizer.permit(admin, "submitTopology", empty)); assertTrue(authorizer.permit(admin, "fileUpload", null)); assertTrue(authorizer.permit(admin, "getNimbusConf", null)); assertTrue(authorizer.permit(admin, "getClusterInfo", null)); assertTrue(authorizer.permit(admin, "fileDownload", null)); assertTrue(authorizer.permit(admin, "killTopology", aAllowed)); assertTrue(authorizer.permit(admin, "uploadNewCredentials", aAllowed)); assertTrue(authorizer.permit(admin, "rebalance", aAllowed)); assertTrue(authorizer.permit(admin, "activate", aAllowed)); assertTrue(authorizer.permit(admin, "getTopologyConf", aAllowed)); assertTrue(authorizer.permit(admin, "getTopology", aAllowed)); assertTrue(authorizer.permit(admin, "getUserTopology", aAllowed)); assertTrue(authorizer.permit(admin, "getTopologyInfo", aAllowed)); }
if (admins.contains(principal) || admins.contains(user) || checkUserGroupAllowed(userGroups, adminsGroups)) { return true; return nimbusUsers.size() == 0 || nimbusUsers.contains(user) || checkUserGroupAllowed(userGroups, nimbusGroups); if (checkTopoPermission(principal, user, userGroups, topoConf, Config.TOPOLOGY_USERS, Config.TOPOLOGY_GROUPS)) { return true; if (topoReadOnlyCommands.contains(operation) && checkTopoPermission(principal, user, userGroups, topoConf, Config.TOPOLOGY_READONLY_USERS, Config.TOPOLOGY_READONLY_GROUPS)) {
@Test public void SimpleACLNimbusUserAuthTest() { Map<String, Object> clusterConf = ConfigUtils.readStormConfig(); Collection<String> adminUserSet = new HashSet<>(Arrays.asList("admin")); Collection<String> supervisorUserSet = new HashSet<>(Arrays.asList("supervisor")); Collection<String> nimbusUserSet = new HashSet<>(Arrays.asList("user-a")); clusterConf.put(Config.NIMBUS_ADMINS, adminUserSet); clusterConf.put(Config.NIMBUS_SUPERVISOR_USERS, supervisorUserSet); clusterConf.put(Config.NIMBUS_USERS, nimbusUserSet); IAuthorizer authorizer = new SimpleACLAuthorizer(); Subject adminUser = createSubject("admin"); Subject supervisorUser = createSubject("supervisor"); Subject userA = createSubject("user-a"); Subject userB = createSubject("user-b"); authorizer.prepare(clusterConf); Assert.assertTrue(authorizer.permit(new ReqContext(userA), "submitTopology", new HashMap<>())); Assert.assertFalse(authorizer.permit(new ReqContext(userB), "submitTopology", new HashMap<>())); Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "fileUpload", new HashMap<>())); Assert.assertTrue(authorizer.permit(new ReqContext(supervisorUser), "fileDownload", new HashMap<>())); }
private Boolean checkTopoPermission(String principal, String user, Set<String> userGroups, Map<String, Object> topoConf, String userConfigKey, String groupConfigKey) { Set<String> configuredUsers = new HashSet<>(); if (topoConf.containsKey(userConfigKey)) { configuredUsers.addAll((Collection<String>) topoConf.get(userConfigKey)); } if (configuredUsers.contains(principal) || configuredUsers.contains(user)) { return true; } Set<String> configuredGroups = new HashSet<>(); if (topoConf.containsKey(groupConfigKey) && topoConf.get(groupConfigKey) != null) { configuredGroups.addAll((Collection<String>) topoConf.get(groupConfigKey)); } return checkUserGroupAllowed(userGroups, configuredGroups); }
@Test public void SimpleACLTopologyReadOnlyGroupAuthTest() { Map<String, Object> clusterConf = ConfigUtils.readStormConfig(); clusterConf.put(Config.STORM_GROUP_MAPPING_SERVICE_PROVIDER_PLUGIN, SimpleACLTopologyReadOnlyGroupAuthTestMock.class.getName()); Map<String, Object> topoConf = new HashMap<>(); Collection<String> topologyReadOnlyGroupSet = new HashSet<>(Arrays.asList("group-readonly")); topoConf.put(Config.TOPOLOGY_READONLY_GROUPS, topologyReadOnlyGroupSet); Subject userInReadOnlyGroup = createSubject("user-in-readonly-group"); Subject userB = createSubject("user-b"); IAuthorizer authorizer = new SimpleACLAuthorizer(); authorizer.prepare(clusterConf); Assert.assertFalse(authorizer.permit(new ReqContext(userInReadOnlyGroup), "killTopology", topoConf)); Assert.assertFalse(authorizer.permit(new ReqContext(userB), "killTopology", topoConf)); Assert.assertTrue(authorizer.permit(new ReqContext(userInReadOnlyGroup), "getTopologyInfo", topoConf)); Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyInfo", topoConf)); }
return _nimbusUsers.size() == 0 || _nimbusUsers.contains(user) || checkUserGroupAllowed(userGroups, _nimbusGroups); if (checkUserGroupAllowed(userGroups, topoGroups)) return true;
@Test public void simpleAclNimbusUsersAuthTest() { Map<String, Object> clusterConf = ConfigUtils.readStormConfig(); clusterConf.put(Config.NIMBUS_ADMINS, Arrays.asList("admin")); clusterConf.put(Config.NIMBUS_SUPERVISOR_USERS, Arrays.asList("supervisor")); clusterConf.put(Config.NIMBUS_USERS, Arrays.asList("user-a")); ReqContext admin = new ReqContext(mkSubject("admin")); ReqContext supervisor = new ReqContext(mkSubject("supervisor")); ReqContext userA = new ReqContext(mkSubject("user-a")); ReqContext userB = new ReqContext(mkSubject("user-b")); final Map<String, Object> empty = Collections.emptyMap(); SimpleACLAuthorizer authorizer = new SimpleACLAuthorizer(); authorizer.prepare(clusterConf); assertTrue(authorizer.permit(userA, "submitTopology", empty)); assertFalse(authorizer.permit(userB, "submitTopology", empty)); assertTrue(authorizer.permit(admin, "fileUpload", null)); assertTrue(authorizer.permit(supervisor, "fileDownload", null)); }
clusterConf.put(Config.NIMBUS_SUPERVISOR_USERS, supervisorUserSet); IAuthorizer authorizer = new SimpleACLAuthorizer();
@Test public void simpleAclNimbusGroupsAuthTest() { Map<String, Object> clusterConf = ConfigUtils.readStormConfig(); clusterConf.put(Config.NIMBUS_ADMINS_GROUPS, Arrays.asList("admin-group")); clusterConf.put(Config.NIMBUS_SUPERVISOR_USERS, Arrays.asList("supervisor")); clusterConf.put(Config.NIMBUS_USERS, Arrays.asList("user-a")); clusterConf.put(Config.STORM_GROUP_MAPPING_SERVICE_PROVIDER_PLUGIN, FixedGroupsMapping.class.getName()); Map<String, Object> groups = new HashMap<>(); groups.put("admin", Collections.singleton("admin-group")); groups.put("not-admin", Collections.singleton("not-admin-group")); Map<String, Object> groupsParams = new HashMap<>(); groupsParams.put(FixedGroupsMapping.STORM_FIXED_GROUP_MAPPING, groups); clusterConf.put(Config.STORM_GROUP_MAPPING_SERVICE_PARAMS, groupsParams); ReqContext admin = new ReqContext(mkSubject("admin")); ReqContext notAdmin = new ReqContext(mkSubject("not-admin")); ReqContext supervisor = new ReqContext(mkSubject("supervisor")); ReqContext userA = new ReqContext(mkSubject("user-a")); ReqContext userB = new ReqContext(mkSubject("user-b")); final Map<String, Object> empty = Collections.emptyMap(); SimpleACLAuthorizer authorizer = new SimpleACLAuthorizer(); authorizer.prepare(clusterConf); assertTrue(authorizer.permit(userA, "submitTopology", empty)); assertFalse(authorizer.permit(userB, "submitTopology", empty)); assertTrue(authorizer.permit(admin, "fileUpload", null)); assertFalse(authorizer.permit(notAdmin, "fileUpload", null)); assertFalse(authorizer.permit(userB, "fileUpload", null)); assertTrue(authorizer.permit(supervisor, "fileDownload", null)); }
Subject readOnlyUser = createSubject("user-readonly"); IAuthorizer authorizer = new SimpleACLAuthorizer(); authorizer.prepare(clusterConf);
SimpleACLAuthorizer authorizer = new SimpleACLAuthorizer(); authorizer.prepare(clusterConf); assertTrue(authorizer.permit(userA, "submitTopology", empty)); assertTrue(authorizer.permit(userB, "submitTopology", empty)); assertTrue(authorizer.permit(admin, "submitTopology", empty)); assertFalse(authorizer.permit(supervisor, "submitTopology", empty)); assertTrue(authorizer.permit(userA, "fileUpload", null)); assertTrue(authorizer.permit(userB, "fileUpload", null)); assertTrue(authorizer.permit(admin, "fileUpload", null)); assertFalse(authorizer.permit(supervisor, "fileUpload", null)); assertTrue(authorizer.permit(userA, "getNimbusConf", null)); assertTrue(authorizer.permit(userB, "getNimbusConf", null)); assertTrue(authorizer.permit(admin, "getNimbusConf", null)); assertFalse(authorizer.permit(supervisor, "getNimbusConf", null)); assertTrue(authorizer.permit(userA, "getClusterInfo", null)); assertTrue(authorizer.permit(userB, "getClusterInfo", null)); assertTrue(authorizer.permit(admin, "getClusterInfo", null)); assertFalse(authorizer.permit(supervisor, "getClusterInfo", null)); assertFalse(authorizer.permit(userA, "fileDownload", null)); assertFalse(authorizer.permit(userB, "fileDownload", null)); assertTrue(authorizer.permit(admin, "fileDownload", null)); assertTrue(authorizer.permit(supervisor, "fileDownload", null)); assertTrue(authorizer.permit(userA, "killTopology", aAllowed));