def test_authn_client_can_read_and_write(kafka_client: client.KafkaClient,
service_account, setup_principals):
try:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
service_options = {
"service": {
"name": config.SERVICE_NAME,
"service_account": service_account["name"],
"service_account_secret": service_account["secret"],
"security": {
"transport_encryption": {
"enabled": True
},
"ssl_authentication": {
"enabled": True
},
},
}
}
config.install(
config.PACKAGE_NAME,
config.SERVICE_NAME,
config.DEFAULT_BROKER_COUNT,
additional_options=service_options,
)
topic_name = "tls.topic"
kafka_client.connect(config.DEFAULT_BROKER_COUNT)
kafka_client.create_topic(topic_name)
kafka_client.check_users_can_read_and_write(["kafka-tester"],
topic_name)
finally:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_authz_acls_not_required(kafka_client: client.KafkaClient,
kafka_server: dict,
kerberos: sdk_auth.KerberosEnvironment):
topic_name = "authz.test"
sdk_cmd.svc_cli(
kafka_server["package_name"],
kafka_server["service"]["name"],
"topic create {}".format(topic_name),
)
kafka_client.connect()
# Since no ACLs are specified, all users can read and write.
kafka_client.check_users_can_read_and_write(
["authorized", "unauthorized", "super"], topic_name)
log.info("Writing and reading: Adding acl for authorized user")
kafka_client.add_acls("authorized", topic_name)
# After adding ACLs the authorized user and super user should still have access to the topic.
kafka_client.check_users_can_read_and_write(["authorized", "super"],
topic_name)
kafka_client.check_users_are_not_authorized_to_read_and_write(
["unauthorized"], topic_name)
def test_authz_acls_not_required(kafka_client: client.KafkaClient, kerberos,
service_account, setup_principals):
try:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
service_options = {
"service": {
"name": config.SERVICE_NAME,
"service_account": service_account["name"],
"service_account_secret": service_account["secret"],
"security": {
"kerberos": {
"enabled": True,
"kdc": {
"hostname": kerberos.get_host(),
"port": int(kerberos.get_port())
},
"realm": kerberos.get_realm(),
"keytab_secret": kerberos.get_keytab_path(),
},
"transport_encryption": {
"enabled": True
},
"authorization": {
"enabled": True,
"super_users": "User:{}".format("super"),
"allow_everyone_if_no_acl_found": True,
},
},
}
}
config.install(
config.PACKAGE_NAME,
config.SERVICE_NAME,
config.DEFAULT_BROKER_COUNT,
additional_options=service_options,
)
topic_name = "authz.test"
kafka_client.connect(config.DEFAULT_BROKER_COUNT)
kafka_client.create_topic(topic_name)
# Clear the ACLs
kafka_client.remove_acls("authorized", topic_name)
# Since no ACLs are specified, all users can read and write.
kafka_client.check_users_can_read_and_write(
["authorized", "unauthorized", "super"], topic_name)
log.info("Writing and reading: Adding acl for authorized user")
kafka_client.add_acls("authorized", topic_name)
# After adding ACLs the authorized user and super user should still have access to the topic.
kafka_client.check_users_can_read_and_write(["authorized", "super"],
topic_name)
kafka_client.check_users_are_not_authorized_to_read_and_write(
["unauthorized"], topic_name)
finally:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_forward_kerberos_off_tls_on_plaintext_off(kafka_client: client.KafkaClient):
update_options = {"service": {"security": {"kerberos": {"enabled": False}}}}
update_service(config.PACKAGE_NAME, config.SERVICE_NAME, update_options)
with pytest.raises(AssertionError):
kafka_client._is_tls = False
kafka_client.connect(config.DEFAULT_BROKER_COUNT)
kafka_client._is_tls = True
assert kafka_client.connect(config.DEFAULT_BROKER_COUNT)
kafka_client.check_users_can_read_and_write([TLS_USER], TOPIC_NAME)
def permission_test(c: client.KafkaClient, topic_name: str):
# Since no ACLs are specified, all users can read and write.
c.check_users_can_read_and_write(
["authorized", "unauthorized", "super"], topic_name)
log.info("Writing and reading: Adding acl for authorized user")
c.add_acls("authorized", topic_name)
# After adding ACLs the authorized user and super user should still have access to the topic.
c.check_users_can_read_and_write(["authorized", "super"], topic_name)
c.check_users_are_not_authorized_to_read_and_write(["unauthorized"],
topic_name)
def test_client_can_read_and_write(kafka_client: client.KafkaClient,
kafka_server, kerberos):
topic_name = "tls.topic"
sdk_cmd.svc_cli(
kafka_server["package_name"],
kafka_server["service"]["name"],
"topic create {}".format(topic_name),
)
kafka_client.connect()
kafka_client.check_users_can_read_and_write(["client"], topic_name)
def test_authz_acls_required(kafka_client: client.KafkaClient, service_account,
setup_principals):
try:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
service_options = {
"service": {
"name": config.SERVICE_NAME,
"service_account": service_account["name"],
"service_account_secret": service_account["secret"],
"security": {
"transport_encryption": {
"enabled": True
},
"ssl_authentication": {
"enabled": True
},
"authorization": {
"enabled": True,
"super_users": "User:{}".format("super")
},
},
}
}
config.install(
config.PACKAGE_NAME,
config.SERVICE_NAME,
config.DEFAULT_BROKER_COUNT,
additional_options=service_options,
)
topic_name = "authz.test"
kafka_client.connect(config.DEFAULT_BROKER_COUNT)
kafka_client.create_topic(topic_name)
# Since no ACLs are specified, only the super user can read and write
kafka_client.check_users_can_read_and_write(["super"], topic_name)
kafka_client.check_users_are_not_authorized_to_read_and_write(
["authorized", "unauthorized"], topic_name)
log.info("Writing and reading: Adding acl for authorized user")
kafka_client.add_acls("authorized", topic_name)
# After adding ACLs the authorized user and super user should still have access to the topic.
kafka_client.check_users_can_read_and_write(["authorized", "super"],
topic_name)
kafka_client.check_users_are_not_authorized_to_read_and_write(
["unauthorized"], topic_name)
finally:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_reverse_kerberos_on_tls_on_plaintext_on(kerberized_kafka_client: client.KafkaClient):
update_options = {
"service": {
"security": {"transport_encryption": {"enabled": True, "allow_plaintext": True}}
}
}
update_service(config.PACKAGE_NAME, config.SERVICE_NAME, update_options)
kerberized_kafka_client._is_tls = False
assert kerberized_kafka_client.connect(config.DEFAULT_BROKER_COUNT)
kerberized_kafka_client.check_users_can_read_and_write([TLS_USER], TOPIC_NAME)
kerberized_kafka_client._is_tls = True
assert kerberized_kafka_client.connect(config.DEFAULT_BROKER_COUNT)
kerberized_kafka_client.check_users_can_read_and_write([TLS_USER], TOPIC_NAME)
def test_authz_acls_not_required(kafka_client: client.KafkaClient):
topic_name = "authz.test"
kafka_client.create_topic(topic_name)
# Since no ACLs are specified, all users can read and write.
kafka_client.check_users_can_read_and_write(
["authorized", "unauthorized", "super"], topic_name)
log.info("Writing and reading: Adding acl for authorized user")
kafka_client.add_acls("authorized", topic_name)
# After adding ACLs the authorized user and super user should still have access to the topic.
kafka_client.check_users_can_read_and_write(["authorized", "super"],
topic_name)
kafka_client.check_users_are_not_authorized_to_read_and_write(
["unauthorized"], topic_name)
def permission_test(c: client.KafkaClient, topic_name: str):
# Setup topic with cleared acls
kafka_client.create_topic(TOPIC_NAME)
kafka_client.remove_acls("authorized", TOPIC_NAME)
# Since no ACLs are specified, only the super user can read and write
c.check_users_can_read_and_write(["super"], topic_name)
c.check_users_are_not_authorized_to_read_and_write(
["authorized", "unauthorized"], topic_name)
log.info("Writing and reading: Adding acl for authorized user")
c.add_acls("authorized", topic_name)
# After adding ACLs the authorized user and super user should still have access to the topic.
c.check_users_can_read_and_write(["authorized", "super"], topic_name)
c.check_users_are_not_authorized_to_read_and_write(["unauthorized"],
topic_name)
def test_forward_kerberos_on_tls_off_plaintext_off(
kerberized_kafka_client: client.KafkaClient, kerberos: sdk_auth.KerberosEnvironment
):
update_options = {
"service": {
"security": {
"kerberos": {
"enabled": True,
"kdc": {"hostname": kerberos.get_host(), "port": int(kerberos.get_port())},
"realm": kerberos.get_realm(),
"keytab_secret": kerberos.get_keytab_path(),
}
}
}
}
update_service(config.PACKAGE_NAME, config.SERVICE_NAME, update_options)
assert kerberized_kafka_client.connect(config.DEFAULT_BROKER_COUNT)
kerberized_kafka_client.check_users_can_read_and_write([TLS_USER], TOPIC_NAME)
def test_client_can_read_and_write(kafka_client: client.KafkaClient):
topic_name = "authn.test"
kafka_client.create_topic(topic_name)
kafka_client.check_users_can_read_and_write(["client"], topic_name)
def test_topic_write_and_read_over_tls(kafka_client: client.KafkaClient):
kafka_client.check_users_can_read_and_write([TLS_USER],
config.DEFAULT_TOPIC_NAME)
def test_initial_kerberos_off_tls_off_plaintext_off(kafka_client: client.KafkaClient):
assert kafka_client.connect(config.DEFAULT_BROKER_COUNT)
kafka_client.create_topic(TOPIC_NAME)
kafka_client.check_users_can_read_and_write(["default"], TOPIC_NAME)