def test_authz_acls_not_required(kafka_client: client.KafkaClient, kafka_server: dict, kerberos: sdk_auth.KerberosEnvironment): topic_name = "authz.test" sdk_cmd.svc_cli( kafka_server["package_name"], kafka_server["service"]["name"], "topic create {}".format(topic_name), ) kafka_client.connect() # Since no ACLs are specified, all users can read and write. kafka_client.check_users_can_read_and_write( ["authorized", "unauthorized", "super"], topic_name) log.info("Writing and reading: Adding acl for authorized user") kafka_client.add_acls("authorized", topic_name) # After adding ACLs the authorized user and super user should still have access to the topic. kafka_client.check_users_can_read_and_write(["authorized", "super"], topic_name) kafka_client.check_users_are_not_authorized_to_read_and_write( ["unauthorized"], topic_name)
def test_authz_acls_not_required(kafka_client: client.KafkaClient, kerberos, service_account, setup_principals): try: sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME) service_options = { "service": { "name": config.SERVICE_NAME, "service_account": service_account["name"], "service_account_secret": service_account["secret"], "security": { "kerberos": { "enabled": True, "kdc": { "hostname": kerberos.get_host(), "port": int(kerberos.get_port()) }, "realm": kerberos.get_realm(), "keytab_secret": kerberos.get_keytab_path(), }, "transport_encryption": { "enabled": True }, "authorization": { "enabled": True, "super_users": "User:{}".format("super"), "allow_everyone_if_no_acl_found": True, }, }, } } config.install( config.PACKAGE_NAME, config.SERVICE_NAME, config.DEFAULT_BROKER_COUNT, additional_options=service_options, ) topic_name = "authz.test" kafka_client.connect(config.DEFAULT_BROKER_COUNT) kafka_client.create_topic(topic_name) # Clear the ACLs kafka_client.remove_acls("authorized", topic_name) # Since no ACLs are specified, all users can read and write. kafka_client.check_users_can_read_and_write( ["authorized", "unauthorized", "super"], topic_name) log.info("Writing and reading: Adding acl for authorized user") kafka_client.add_acls("authorized", topic_name) # After adding ACLs the authorized user and super user should still have access to the topic. kafka_client.check_users_can_read_and_write(["authorized", "super"], topic_name) kafka_client.check_users_are_not_authorized_to_read_and_write( ["unauthorized"], topic_name) finally: sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def permission_test(c: client.KafkaClient, topic_name: str): # Since no ACLs are specified, all users can read and write. c.check_users_can_read_and_write( ["authorized", "unauthorized", "super"], topic_name) log.info("Writing and reading: Adding acl for authorized user") c.add_acls("authorized", topic_name) # After adding ACLs the authorized user and super user should still have access to the topic. c.check_users_can_read_and_write(["authorized", "super"], topic_name) c.check_users_are_not_authorized_to_read_and_write(["unauthorized"], topic_name)
def test_authz_acls_required(kafka_client: client.KafkaClient, service_account, setup_principals): try: sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME) service_options = { "service": { "name": config.SERVICE_NAME, "service_account": service_account["name"], "service_account_secret": service_account["secret"], "security": { "transport_encryption": { "enabled": True }, "ssl_authentication": { "enabled": True }, "authorization": { "enabled": True, "super_users": "User:{}".format("super") }, }, } } config.install( config.PACKAGE_NAME, config.SERVICE_NAME, config.DEFAULT_BROKER_COUNT, additional_options=service_options, ) topic_name = "authz.test" kafka_client.connect(config.DEFAULT_BROKER_COUNT) kafka_client.create_topic(topic_name) # Since no ACLs are specified, only the super user can read and write kafka_client.check_users_can_read_and_write(["super"], topic_name) kafka_client.check_users_are_not_authorized_to_read_and_write( ["authorized", "unauthorized"], topic_name) log.info("Writing and reading: Adding acl for authorized user") kafka_client.add_acls("authorized", topic_name) # After adding ACLs the authorized user and super user should still have access to the topic. kafka_client.check_users_can_read_and_write(["authorized", "super"], topic_name) kafka_client.check_users_are_not_authorized_to_read_and_write( ["unauthorized"], topic_name) finally: sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
def test_authz_acls_not_required(kafka_client: client.KafkaClient): topic_name = "authz.test" kafka_client.create_topic(topic_name) # Since no ACLs are specified, all users can read and write. kafka_client.check_users_can_read_and_write( ["authorized", "unauthorized", "super"], topic_name) log.info("Writing and reading: Adding acl for authorized user") kafka_client.add_acls("authorized", topic_name) # After adding ACLs the authorized user and super user should still have access to the topic. kafka_client.check_users_can_read_and_write(["authorized", "super"], topic_name) kafka_client.check_users_are_not_authorized_to_read_and_write( ["unauthorized"], topic_name)
def permission_test(c: client.KafkaClient, topic_name: str): # Setup topic with cleared acls kafka_client.create_topic(TOPIC_NAME) kafka_client.remove_acls("authorized", TOPIC_NAME) # Since no ACLs are specified, only the super user can read and write c.check_users_can_read_and_write(["super"], topic_name) c.check_users_are_not_authorized_to_read_and_write( ["authorized", "unauthorized"], topic_name) log.info("Writing and reading: Adding acl for authorized user") c.add_acls("authorized", topic_name) # After adding ACLs the authorized user and super user should still have access to the topic. c.check_users_can_read_and_write(["authorized", "super"], topic_name) c.check_users_are_not_authorized_to_read_and_write(["unauthorized"], topic_name)