This repository has been archived by the owner on Dec 16, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 92
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding authorization capabilities to DoctorKafka (#143)
- Loading branch information
Showing
11 changed files
with
237 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -39,6 +39,4 @@ protected KafkaBroker checkAndGetBroker(String clusterName, String brokerId) { | |
return broker; | ||
} | ||
|
||
|
||
|
||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
17 changes: 17 additions & 0 deletions
17
drkafka/src/main/java/com/pinterest/doctorkafka/security/DrKafkaAuthorizationFilter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
package com.pinterest.doctorkafka.security; | ||
|
||
import javax.ws.rs.container.ContainerRequestFilter; | ||
|
||
import com.pinterest.doctorkafka.config.DoctorKafkaConfig; | ||
|
||
/** | ||
* This extends JAX-RS containter request filter for authorization. | ||
* | ||
* Please refer to https://docs.oracle.com/javaee/7/api/javax/ws/rs/container/ContainerRequestFilter.html | ||
* for more details on how {@link ContainerRequestFilter} works | ||
*/ | ||
public interface DrKafkaAuthorizationFilter extends ContainerRequestFilter { | ||
|
||
public void configure(DoctorKafkaConfig config) throws Exception; | ||
|
||
} |
44 changes: 44 additions & 0 deletions
44
drkafka/src/main/java/com/pinterest/doctorkafka/security/DrKafkaSecurityContext.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
package com.pinterest.doctorkafka.security; | ||
|
||
import java.security.Principal; | ||
import java.util.Set; | ||
|
||
import javax.ws.rs.core.SecurityContext; | ||
|
||
public class DrKafkaSecurityContext implements SecurityContext { | ||
|
||
private static final String DR_KAFKA_AUTH = "drkauth"; | ||
private UserPrincipal principal; | ||
private Set<String> roles; | ||
|
||
public DrKafkaSecurityContext(UserPrincipal principal, Set<String> roles) { | ||
this.principal = principal; | ||
this.roles = roles; | ||
} | ||
|
||
@Override | ||
public Principal getUserPrincipal() { | ||
return principal; | ||
} | ||
|
||
@Override | ||
public boolean isUserInRole(String role) { | ||
return roles.contains(role); | ||
} | ||
|
||
@Override | ||
public boolean isSecure() { | ||
return true; | ||
} | ||
|
||
@Override | ||
public String getAuthenticationScheme() { | ||
return DR_KAFKA_AUTH; | ||
} | ||
|
||
@Override | ||
public String toString() { | ||
return "DrKafkaSecurityContext [principal=" + principal + ", roles=" + roles + "]"; | ||
} | ||
|
||
} |
66 changes: 66 additions & 0 deletions
66
drkafka/src/main/java/com/pinterest/doctorkafka/security/SampleAuthorizationFilter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
package com.pinterest.doctorkafka.security; | ||
|
||
import java.io.IOException; | ||
import java.util.Arrays; | ||
import java.util.HashSet; | ||
import java.util.List; | ||
import java.util.Set; | ||
|
||
import javax.annotation.Priority; | ||
import javax.ws.rs.container.ContainerRequestContext; | ||
import javax.ws.rs.ext.Provider; | ||
|
||
import org.apache.logging.log4j.LogManager; | ||
import org.apache.logging.log4j.Logger; | ||
|
||
import com.pinterest.doctorkafka.config.DoctorKafkaConfig; | ||
|
||
import jersey.repackaged.com.google.common.collect.Sets; | ||
import jersey.repackaged.com.google.common.collect.Sets.SetView; | ||
|
||
/** | ||
* This is a sample implementation of {@link DrKafkaAuthorizationFilter} | ||
*/ | ||
@Provider | ||
@Priority(1000) | ||
public class SampleAuthorizationFilter implements DrKafkaAuthorizationFilter { | ||
|
||
private static final Logger LOG = LogManager.getLogger(SampleAuthorizationFilter.class); | ||
private static final String GROUPS_HEADER = "GROUPS"; | ||
private static final String USER_HEADER = "USER"; | ||
private Set<String> allowedAdminGroups = new HashSet<>(); | ||
private static final Set<String> ADMIN_ROLE_SET = new HashSet<>( | ||
Arrays.asList(DoctorKafkaConfig.DRKAFKA_ADMIN_ROLE)); | ||
private static final Set<String> EMPTY_ROLE_SET = new HashSet<>(); | ||
|
||
@Override | ||
public void configure(DoctorKafkaConfig config) throws Exception { | ||
List<String> drKafkaAdminGroups = config.getDrKafkaAdminGroups(); | ||
if (drKafkaAdminGroups != null) { | ||
allowedAdminGroups.addAll(drKafkaAdminGroups); | ||
LOG.info("Following groups will be allowed admin access:" + allowedAdminGroups); | ||
} | ||
} | ||
|
||
@Override | ||
public void filter(ContainerRequestContext requestContext) throws IOException { | ||
String userHeader = requestContext.getHeaderString(USER_HEADER); | ||
String groupsHeader = requestContext.getHeaderString(GROUPS_HEADER); | ||
DrKafkaSecurityContext ctx = null; | ||
if (userHeader != null && groupsHeader != null) { | ||
Set<String> userGroups = new HashSet<>(Arrays.asList(groupsHeader.split(","))); | ||
SetView<String> intersection = Sets.intersection(allowedAdminGroups, userGroups); | ||
if (intersection.size() > 0) { | ||
ctx = new DrKafkaSecurityContext(new UserPrincipal(userHeader), ADMIN_ROLE_SET); | ||
requestContext.setSecurityContext(ctx); | ||
LOG.info("Received authenticated request, created context:" + ctx); | ||
return; | ||
} | ||
} | ||
|
||
ctx = new DrKafkaSecurityContext(new UserPrincipal(userHeader), EMPTY_ROLE_SET); | ||
requestContext.setSecurityContext(ctx); | ||
LOG.info("Received annonymous request, bypassing authorizer"); | ||
} | ||
|
||
} |
23 changes: 23 additions & 0 deletions
23
drkafka/src/main/java/com/pinterest/doctorkafka/security/UserPrincipal.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
package com.pinterest.doctorkafka.security; | ||
|
||
import java.security.Principal; | ||
|
||
public class UserPrincipal implements Principal { | ||
|
||
private String username; | ||
|
||
public UserPrincipal(String username) { | ||
this.username = username; | ||
} | ||
|
||
@Override | ||
public String getName() { | ||
return username; | ||
} | ||
|
||
@Override | ||
public String toString() { | ||
return "UserPrincipal [username=" + username + "]"; | ||
} | ||
|
||
} |