@Override protected boolean permitClientRequest(ReqContext context, String operation, Map<String, Object> params) { return permitClientOrInvocationRequest(context, params, "clientUsers"); }
private Boolean checkTopoPermission(String principal, String user, Set<String> userGroups, Map<String, Object> topoConf, String userConfigKey, String groupConfigKey) { Set<String> configuredUsers = new HashSet<>(); if (topoConf.containsKey(userConfigKey)) { configuredUsers.addAll((Collection<String>) topoConf.get(userConfigKey)); } if (configuredUsers.contains(principal) || configuredUsers.contains(user)) { return true; } Set<String> configuredGroups = new HashSet<>(); if (topoConf.containsKey(groupConfigKey) && topoConf.get(groupConfigKey) != null) { configuredGroups.addAll((Collection<String>) topoConf.get(groupConfigKey)); } return checkUserGroupAllowed(userGroups, configuredGroups); }
private Boolean checkTopoPermission(String principal, String user, Set<String> userGroups, Map<String, Object> topoConf, String userConfigKey, String groupConfigKey) { Set<String> configuredUsers = new HashSet<>(); if (topoConf.containsKey(userConfigKey)) { configuredUsers.addAll((Collection<String>) topoConf.get(userConfigKey)); } if (configuredUsers.contains(principal) || configuredUsers.contains(user)) { return true; } Set<String> configuredGroups = new HashSet<>(); if (topoConf.containsKey(groupConfigKey) && topoConf.get(groupConfigKey) != null) { configuredGroups.addAll((Collection<String>) topoConf.get(groupConfigKey)); } return checkUserGroupAllowed(userGroups, configuredGroups); }
/** * Authorizes request from to the DRPC server. * * @param context the client request context * @param operation the operation requested by the DRPC server * @param params a Map with any key-value entries of use to the authorization implementation */ @Override public boolean permit(ReqContext context, String operation, Map<String, Object> params) { if ("execute".equals(operation)) { return permitClientRequest(context, operation, params); } else if ("failRequest".equals(operation) || "fetchRequest".equals(operation) || "result".equals(operation)) { return permitInvocationRequest(context, operation, params); } // Deny unsupported operations. LOG.warn("Denying unsupported operation \"" + operation + "\" from " + context.remoteAddress()); return false; } }
@Test public void negativeWhitelistAuthroizationTest() { SimpleWhitelistAuthorizer auth = new SimpleWhitelistAuthorizer(); Map<String, Object> conf = ConfigUtils.readStormConfig(); auth.prepare(conf); ReqContext context = new ReqContext(mkSubject("user")); assertFalse(auth.permit(context, "activate", conf)); }
@Test public void SimpleACLNimbusUserAuthTest() { Map<String, Object> clusterConf = ConfigUtils.readStormConfig(); Collection<String> adminUserSet = new HashSet<>(Arrays.asList("admin")); Collection<String> supervisorUserSet = new HashSet<>(Arrays.asList("supervisor")); Collection<String> nimbusUserSet = new HashSet<>(Arrays.asList("user-a")); clusterConf.put(Config.NIMBUS_ADMINS, adminUserSet); clusterConf.put(Config.NIMBUS_SUPERVISOR_USERS, supervisorUserSet); clusterConf.put(Config.NIMBUS_USERS, nimbusUserSet); IAuthorizer authorizer = new SimpleACLAuthorizer(); Subject adminUser = createSubject("admin"); Subject supervisorUser = createSubject("supervisor"); Subject userA = createSubject("user-a"); Subject userB = createSubject("user-b"); authorizer.prepare(clusterConf); Assert.assertTrue(authorizer.permit(new ReqContext(userA), "submitTopology", new HashMap<>())); Assert.assertFalse(authorizer.permit(new ReqContext(userB), "submitTopology", new HashMap<>())); Assert.assertTrue(authorizer.permit(new ReqContext(adminUser), "fileUpload", new HashMap<>())); Assert.assertTrue(authorizer.permit(new ReqContext(supervisorUser), "fileDownload", new HashMap<>())); }
@Test public void test_invocation_authorization_permissive() { for (String operation : new String[]{ "fetchRequest", "failRequest", "result" }) { Assert.assertFalse("Deny " + operation + " to unauthorized user for correct function", isPermitted(permissiveHandler, bobContext, operation, function)); Assert.assertTrue("Allow " + operation + " to user for incorrect function when permissive", isPermitted(permissiveHandler, charlieContext, operation, wrongFunction)); Assert.assertTrue("allow " + operation + " to authorized user", isPermitted(permissiveHandler, charlieContext, operation, function)); } }
@Override public void prepare(Map<String, Object> conf) { userImpersonationACL = new HashMap<>(); Map<String, Map<String, List<String>>> userToHostAndGroup = (Map<String, Map<String, List<String>>>) conf.get(Config.NIMBUS_IMPERSONATION_ACL); if (userToHostAndGroup != null) { for (Map.Entry<String, Map<String, List<String>>> entry : userToHostAndGroup.entrySet()) { String user = entry.getKey(); Set<String> groups = ImmutableSet.copyOf(entry.getValue().get("groups")); Set<String> hosts = ImmutableSet.copyOf(entry.getValue().get("hosts")); userImpersonationACL.put(user, new ImpersonationACL(user, groups, hosts)); } } _ptol = ClientAuthUtils.getPrincipalToLocalPlugin(conf); _groupMappingProvider = ClientAuthUtils.getGroupMappingServiceProviderPlugin(conf); }
private Subject createSubject(String name) { Set<Principal> principalSet = new HashSet<>(); principalSet.add(createPrincipal(name)); return new Subject(true, principalSet, new HashSet(), new HashSet()); }
@BeforeClass public static void setup() { strictHandler = new DRPCSimpleACLAuthorizer(); strictHandler.prepare(ImmutableMap .of(Config.DRPC_AUTHORIZER_ACL_STRICT, true, Config.DRPC_AUTHORIZER_ACL_FILENAME, aclFile, Config.STORM_PRINCIPAL_TO_LOCAL_PLUGIN, KerberosPrincipalToLocal.class.getName())); permissiveHandler = new DRPCSimpleACLAuthorizer(); permissiveHandler.prepare(ImmutableMap .of(Config.DRPC_AUTHORIZER_ACL_STRICT, false, Config.DRPC_AUTHORIZER_ACL_FILENAME, aclFile, Config.STORM_PRINCIPAL_TO_LOCAL_PLUGIN, KerberosPrincipalToLocal.class.getName())); }
@Test public void testDeny() throws Exception { try (DRPC server = new DRPC(new StormMetricsRegistry(), new DenyAuthorizer(), 100)) { assertThrows(() -> server.executeBlocking("testing", "test"), AuthorizationException.class); assertThrows(() -> server.fetchRequest("testing"), AuthorizationException.class); } }
@Test public void positiveWhitelistAuthroizationTest() { SimpleWhitelistAuthorizer auth = new SimpleWhitelistAuthorizer(); Map<String, Object> conf = ConfigUtils.readStormConfig(); conf.put(SimpleWhitelistAuthorizer.WHITELIST_USERS_CONF, Arrays.asList("user")); auth.prepare(conf); ReqContext context = new ReqContext(mkSubject("user")); assertTrue(auth.permit(context, "activate", conf)); }
@Test public void SimpleACLTopologyReadOnlyGroupAuthTest() { Map<String, Object> clusterConf = ConfigUtils.readStormConfig(); clusterConf.put(Config.STORM_GROUP_MAPPING_SERVICE_PROVIDER_PLUGIN, SimpleACLTopologyReadOnlyGroupAuthTestMock.class.getName()); Map<String, Object> topoConf = new HashMap<>(); Collection<String> topologyReadOnlyGroupSet = new HashSet<>(Arrays.asList("group-readonly")); topoConf.put(Config.TOPOLOGY_READONLY_GROUPS, topologyReadOnlyGroupSet); Subject userInReadOnlyGroup = createSubject("user-in-readonly-group"); Subject userB = createSubject("user-b"); IAuthorizer authorizer = new SimpleACLAuthorizer(); authorizer.prepare(clusterConf); Assert.assertFalse(authorizer.permit(new ReqContext(userInReadOnlyGroup), "killTopology", topoConf)); Assert.assertFalse(authorizer.permit(new ReqContext(userB), "killTopology", topoConf)); Assert.assertTrue(authorizer.permit(new ReqContext(userInReadOnlyGroup), "getTopologyInfo", topoConf)); Assert.assertFalse(authorizer.permit(new ReqContext(userB), "getTopologyInfo", topoConf)); }
@Override protected boolean permitInvocationRequest(ReqContext context, String operation, Map<String, Object> params) { return permitClientOrInvocationRequest(context, params, "invocationUser"); }
@Test public void test_invocation_authorization_strict() { for (String operation : new String[]{ "fetchRequest", "failRequest", "result" }) { Assert.assertFalse("Deny " + operation + " to unauthorized user for correct function", isPermitted(strictHandler, aliceContext, operation, function)); Assert.assertFalse("Deny " + operation + " to user for incorrect function when strict", isPermitted(strictHandler, charlieContext, operation, wrongFunction)); Assert.assertTrue("allow " + operation + " to authorized user for correct function", isPermitted(strictHandler, charlieContext, operation, function)); } }
@Test public void test_deny_when_invalid_user_given() { Assert.assertFalse(isPermitted(strictHandler, Mockito.mock(ReqContext.class), "execute", function)); Assert.assertFalse(isPermitted(strictHandler, null, "execute", function)); Assert.assertFalse(isPermitted(permissiveHandler, Mockito.mock(ReqContext.class), "execute", function)); Assert.assertFalse(isPermitted(permissiveHandler, null, "execute", function)); }
@Test public void test_client_authorization_strict() { Assert.assertFalse("Deny execute to unauthroized user", isPermitted(strictHandler, ReqContext.context(), "execute", function)); Assert.assertFalse("Deny execute to valid user for incorrect function", isPermitted(strictHandler, aliceContext, "execute", wrongFunction)); Assert.assertTrue("Allow execute to authorized kerb user for correct function", isPermitted(strictHandler, aliceKerbContext, "execute", function)); Assert.assertTrue("Allow execute to authorized user for correct function", isPermitted(strictHandler, aliceContext, "execute", function)); }
@Test public void test_client_authorization_permissive() { Assert.assertFalse("deny execute to unauthorized user for correct function", isPermitted(permissiveHandler, ReqContext.context(), "execute", function)); Assert.assertTrue("allow execute for user for incorrect function when permissive", isPermitted(permissiveHandler, aliceContext, "execute", wrongFunction)); Assert.assertTrue("allow execute for user for incorrect function when permissive", isPermitted(permissiveHandler, aliceKerbContext, "execute", wrongFunction)); Assert.assertTrue("allow execute to authorized user for correct function", isPermitted(permissiveHandler, bobContext, "execute", function)); }
@Test public void test_partial_authorization() { Assert.assertFalse("Deny execute to unauthroized user", isPermitted(strictHandler, ReqContext.context(), "execute", partialFunction)); Assert.assertTrue("Allow execute to authorized kerb user for correct function", isPermitted(strictHandler, aliceKerbContext, "execute", partialFunction)); Assert.assertFalse("Deny fetchRequest to unauthorized user for correct function", isPermitted(strictHandler, aliceKerbContext, "fetchRequest", partialFunction)); }
@Test public void test_deny_when_no_function_given() { Assert.assertFalse(strictHandler.permit(aliceContext, "execute", new HashMap())); Assert.assertFalse(isPermitted(strictHandler, aliceContext, "execute", null)); Assert.assertFalse(permissiveHandler.permit(bobContext, "execute", new HashMap())); Assert.assertFalse(isPermitted(permissiveHandler, bobContext, "execute", null)); }