def test_authz_acls_required(kafka_client: client.KafkaClient,
kafka_server: dict,
kerberos: sdk_auth.KerberosEnvironment):
topic_name = "authz.test"
sdk_cmd.svc_cli(
kafka_server["package_name"],
kafka_server["service"]["name"],
"topic create {}".format(topic_name),
)
kafka_client.connect(kafka_server)
# Since no ACLs are specified, only the super user can read and write
for user in ["super"]:
log.info("Checking write / read permissions for user=%s", user)
write_success, read_successes, _ = kafka_client.can_write_and_read(
user, kafka_server, topic_name, kerberos)
assert write_success, "Write failed (user={})".format(user)
assert read_successes, ("Read failed (user={}): "
"MESSAGES={} "
"read_successes={}".format(
user, kafka_client.MESSAGES,
read_successes))
for user in ["authorized", "unauthorized"]:
log.info("Checking lack of write / read permissions for user=%s", user)
write_success, _, read_messages = kafka_client.can_write_and_read(
user, kafka_server, topic_name, kerberos)
assert not write_success, "Write not expected to succeed (user={})".format(
user)
assert auth.is_not_authorized(
read_messages), "Unauthorized expected (user={}".format(user)
log.info("Writing and reading: Adding acl for authorized user")
kafka_client.add_acls("authorized", kafka_server, topic_name)
# After adding ACLs the authorized user and super user should still have access to the topic.
for user in ["authorized", "super"]:
log.info("Checking write / read permissions for user=%s", user)
write_success, read_successes, _ = kafka_client.can_write_and_read(
user, kafka_server, topic_name, kerberos)
assert write_success, "Write failed (user={})".format(user)
assert read_successes, ("Read failed (user={}): "
"MESSAGES={} "
"read_successes={}".format(
user, kafka_client.MESSAGES,
read_successes))
for user in ["unauthorized"]:
log.info("Checking lack of write / read permissions for user=%s", user)
write_success, _, read_messages = kafka_client.can_write_and_read(
user, kafka_server, topic_name, kerberos)
assert not write_success, "Write not expected to succeed (user={})".format(
user)
assert auth.is_not_authorized(
read_messages), "Unauthorized expected (user={}".format(user)
def test_authn_client_can_read_and_write(kafka_client: client.KafkaClient,
service_account, setup_principals):
try:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
service_options = {
"service": {
"name": config.SERVICE_NAME,
"service_account": service_account["name"],
"service_account_secret": service_account["secret"],
"security": {
"transport_encryption": {
"enabled":
True,
"ciphers":
"TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
},
"ssl_authentication": {
"enabled": True
},
},
}
}
config.install(
config.PACKAGE_NAME,
config.SERVICE_NAME,
config.DEFAULT_BROKER_COUNT,
additional_options=service_options,
)
kafka_server = {
**service_options,
**{
"package_name": config.PACKAGE_NAME
}
}
topic_name = "tls.topic"
sdk_cmd.svc_cli(
kafka_server["package_name"],
kafka_server["service"]["name"],
"topic create {}".format(topic_name),
parse_json=True,
)
kafka_client.connect()
user = "******"
write_success, read_successes, _ = kafka_client.can_write_and_read(
user, topic_name)
assert write_success, "Write failed (user={})".format(user)
assert read_successes, ("Read failed (user={}): "
"MESSAGES={} "
"read_successes={}".format(
user, kafka_client.MESSAGES,
read_successes))
finally:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_authn_client_can_read_and_write(kafka_client: client.KafkaClient,
service_account, setup_principals):
try:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
service_options = {
"service": {
"name": config.SERVICE_NAME,
"service_account": service_account["name"],
"service_account_secret": service_account["secret"],
"security": {
"transport_encryption": {
"enabled": True
},
"ssl_authentication": {
"enabled": True
}
}
}
}
config.install(config.PACKAGE_NAME,
config.SERVICE_NAME,
config.DEFAULT_BROKER_COUNT,
additional_options=service_options)
kafka_server = {
**service_options,
**{
"package_name": config.PACKAGE_NAME
}
}
topic_name = "tls.topic"
sdk_cmd.svc_cli(kafka_server["package_name"],
kafka_server["service"]["name"],
"topic create {}".format(topic_name),
json=True)
kafka_client.connect(kafka_server)
user = "******"
write_success, read_successes, _ = kafka_client.can_write_and_read(
user, kafka_server, topic_name, None)
assert write_success, "Write failed (user={})".format(user)
assert read_successes, "Read failed (user={}): " \
"MESSAGES={} " \
"read_successes={}".format(user,
kafka_client.MESSAGES,
read_successes)
finally:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_client_can_read_and_write(kafka_client: client.KafkaClient,
kafka_server, kerberos):
topic_name = "authn.test"
sdk_cmd.svc_cli(kafka_server["package_name"],
kafka_server["service"]["name"],
"topic create {}".format(topic_name),
json=True)
kafka_client.connect(kafka_server)
user = "******"
write_success, read_successes, _ = kafka_client.can_write_and_read(
user, kafka_server, topic_name, kerberos)
assert write_success, "Write failed (user={})".format(user)
assert read_successes, "Read failed (user={}): " \
"MESSAGES={} " \
"read_successes={}".format(user,
kafka_client.MESSAGES,
read_successes)
def test_authz_acls_required(kafka_client: client.KafkaClient, kerberos,
service_account, setup_principals):
try:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
service_options = {
"service": {
"name": config.SERVICE_NAME,
"service_account": service_account["name"],
"service_account_secret": service_account["secret"],
"security": {
"kerberos": {
"enabled": True,
"kdc": {
"hostname": kerberos.get_host(),
"port": int(kerberos.get_port())
},
"realm": kerberos.get_realm(),
"keytab_secret": kerberos.get_keytab_path(),
},
"transport_encryption": {
"enabled":
True,
"ciphers":
"TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
},
"authorization": {
"enabled": True,
"super_users": "User:{}".format("super")
},
},
}
}
config.install(
config.PACKAGE_NAME,
config.SERVICE_NAME,
config.DEFAULT_BROKER_COUNT,
additional_options=service_options,
)
kafka_server = {
**service_options,
**{
"package_name": config.PACKAGE_NAME
}
}
topic_name = "authz.test"
sdk_cmd.svc_cli(
kafka_server["package_name"],
kafka_server["service"]["name"],
"topic create {}".format(topic_name),
parse_json=True,
)
kafka_client.connect()
# Clear the ACLs
kafka_client.remove_acls("authorized", topic_name)
# Since no ACLs are specified, only the super user can read and write
for user in ["super"]:
log.info("Checking write / read permissions for user=%s", user)
write_success, read_successes, _ = kafka_client.can_write_and_read(
user, topic_name)
assert write_success, "Write failed (user={})".format(user)
assert read_successes, ("Read failed (user={}): "
"MESSAGES={} "
"read_successes={}".format(
user, kafka_client.MESSAGES,
read_successes))
for user in ["authorized", "unauthorized"]:
log.info("Checking lack of write / read permissions for user=%s",
user)
write_success, _, read_messages = kafka_client.can_write_and_read(
user, topic_name)
assert not write_success, "Write not expected to succeed (user={})".format(
user)
assert auth.is_not_authorized(
read_messages), "Unauthorized expected (user={}".format(user)
log.info("Writing and reading: Adding acl for authorized user")
kafka_client.add_acls("authorized", topic_name)
# After adding ACLs the authorized user and super user should still have access to the topic.
for user in ["authorized", "super"]:
log.info("Checking write / read permissions for user=%s", user)
write_success, read_successes, _ = kafka_client.can_write_and_read(
user, topic_name)
assert write_success, "Write failed (user={})".format(user)
assert read_successes, ("Read failed (user={}): "
"MESSAGES={} "
"read_successes={}".format(
user, kafka_client.MESSAGES,
read_successes))
for user in ["unauthorized"]:
log.info("Checking lack of write / read permissions for user=%s",
user)
write_success, _, read_messages = kafka_client.can_write_and_read(
user, topic_name)
assert not write_success, "Write not expected to succeed (user={})".format(
user)
assert auth.is_not_authorized(
read_messages), "Unauthorized expected (user={}".format(user)
finally:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_authz_acls_not_required(kafka_client: client.KafkaClient,
zookeeper_server, kerberos):
try:
zookeeper_dns = sdk_networks.get_endpoint(
zookeeper_server["package_name"],
zookeeper_server["service"]["name"], "clientport")["dns"]
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
service_options = {
"service": {
"name": config.SERVICE_NAME,
"security": {
"kerberos": {
"enabled": True,
"enabled_for_zookeeper": True,
"kdc": {
"hostname": kerberos.get_host(),
"port": int(kerberos.get_port())
},
"realm": kerberos.get_realm(),
"keytab_secret": kerberos.get_keytab_path(),
},
"authorization": {
"enabled": True,
"super_users": "User:{}".format("super"),
"allow_everyone_if_no_acl_found": True,
},
},
},
"kafka": {
"kafka_zookeeper_uri": ",".join(zookeeper_dns)
},
}
config.install(
config.PACKAGE_NAME,
config.SERVICE_NAME,
config.DEFAULT_BROKER_COUNT,
additional_options=service_options,
)
kafka_server = {
**service_options,
**{
"package_name": config.PACKAGE_NAME
}
}
topic_name = "authz.test"
sdk_cmd.svc_cli(
kafka_server["package_name"],
kafka_server["service"]["name"],
"topic create {}".format(topic_name),
)
kafka_client.connect(kafka_server)
# Clear the ACLs
kafka_client.remove_acls("authorized", kafka_server, topic_name)
# Since no ACLs are specified, all users can read and write.
for user in ["authorized", "unauthorized", "super"]:
log.info("Checking write / read permissions for user=%s", user)
write_success, read_successes, _ = kafka_client.can_write_and_read(
user, kafka_server, topic_name, kerberos)
assert write_success, "Write failed (user={})".format(user)
assert read_successes, ("Read failed (user={}): "
"MESSAGES={} "
"read_successes={}".format(
user, kafka_client.MESSAGES,
read_successes))
log.info("Writing and reading: Adding acl for authorized user")
kafka_client.add_acls("authorized", kafka_server, topic_name)
# After adding ACLs the authorized user and super user should still have access to the topic.
for user in ["authorized", "super"]:
log.info("Checking write / read permissions for user=%s", user)
write_success, read_successes, _ = kafka_client.can_write_and_read(
user, kafka_server, topic_name, kerberos)
assert write_success, "Write failed (user={})".format(user)
assert read_successes, ("Read failed (user={}): "
"MESSAGES={} "
"read_successes={}".format(
user, kafka_client.MESSAGES,
read_successes))
for user in ["unauthorized"]:
log.info("Checking lack of write / read permissions for user=%s",
user)
write_success, _, read_messages = kafka_client.can_write_and_read(
user, kafka_server, topic_name, kerberos)
assert not write_success, "Write not expected to succeed (user={})".format(
user)
assert auth.is_not_authorized(
read_messages), "Unauthorized expected (user={}".format(user)
finally:
# Ensure that we clean up the ZK state.
kafka_client.remove_acls("authorized", kafka_server, topic_name)
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_authz_acls_required(kafka_client: client.KafkaClient, service_account, setup_principals):
try:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
service_options = {
"service": {
"name": config.SERVICE_NAME,
"service_account": service_account["name"],
"service_account_secret": service_account["secret"],
"security": {
"transport_encryption": {"enabled": True},
"ssl_authentication": {"enabled": True},
"authorization": {"enabled": True, "super_users": "User:{}".format("super")},
},
}
}
config.install(
config.PACKAGE_NAME,
config.SERVICE_NAME,
config.DEFAULT_BROKER_COUNT,
additional_options=service_options,
)
kafka_server = {**service_options, **{"package_name": config.PACKAGE_NAME}}
topic_name = "authz.test"
sdk_cmd.svc_cli(
kafka_server["package_name"],
kafka_server["service"]["name"],
"topic create {}".format(topic_name),
)
kafka_client.connect(kafka_server)
# Since no ACLs are specified, only the super user can read and write
for user in ["super"]:
log.info("Checking write / read permissions for user=%s", user)
write_success, read_successes, _ = kafka_client.can_write_and_read(
user, kafka_server, topic_name, None
)
assert write_success, "Write failed (user={})".format(user)
assert read_successes, (
"Read failed (user={}): "
"MESSAGES={} "
"read_successes={}".format(user, kafka_client.MESSAGES, read_successes)
)
for user in ["authorized", "unauthorized"]:
log.info("Checking lack of write / read permissions for user=%s", user)
write_success, _, read_messages = kafka_client.can_write_and_read(
user, kafka_server, topic_name, None
)
assert not write_success, "Write not expected to succeed (user={})".format(user)
assert auth.is_not_authorized(read_messages), "Unauthorized expected (user={}".format(
user
)
log.info("Writing and reading: Adding acl for authorized user")
kafka_client.add_acls("authorized", kafka_server, topic_name)
# After adding ACLs the authorized user and super user should still have access to the topic.
for user in ["authorized", "super"]:
log.info("Checking write / read permissions for user=%s", user)
write_success, read_successes, _ = kafka_client.can_write_and_read(
user, kafka_server, topic_name, None
)
assert write_success, "Write failed (user={})".format(user)
assert read_successes, (
"Read failed (user={}): "
"MESSAGES={} "
"read_successes={}".format(user, kafka_client.MESSAGES, read_successes)
)
for user in ["unauthorized"]:
log.info("Checking lack of write / read permissions for user=%s", user)
write_success, _, read_messages = kafka_client.can_write_and_read(
user, kafka_server, topic_name, None
)
assert not write_success, "Write not expected to succeed (user={})".format(user)
assert auth.is_not_authorized(read_messages), "Unauthorized expected (user={}".format(
user
)
finally:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)