You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by lh...@apache.org on 2024/01/26 22:54:39 UTC
(pulsar) 05/11: [fix][test] ProxyWithoutServiceDiscoveryTest should enable authz (#20348)
This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit d510b1d1013c86c62ccdb2d9671dd0e560ab2c48
Author: Michael Marshall <mm...@apache.org>
AuthorDate: Thu May 18 13:13:13 2023 -0500
[fix][test] ProxyWithoutServiceDiscoveryTest should enable authz (#20348)
(cherry picked from commit 2ebb3797c3f371c3ca22cbc8002a8110e3e3fa47)
---
.../server/ProxyWithoutServiceDiscoveryTest.java | 52 +++++++++++-----------
1 file changed, 25 insertions(+), 27 deletions(-)
diff --git a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithoutServiceDiscoveryTest.java b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithoutServiceDiscoveryTest.java
index d47d09b8b85..ec1412b021d 100644
--- a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithoutServiceDiscoveryTest.java
+++ b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithoutServiceDiscoveryTest.java
@@ -54,13 +54,6 @@ import org.testng.collections.Maps;
public class ProxyWithoutServiceDiscoveryTest extends ProducerConsumerBase {
private static final Logger log = LoggerFactory.getLogger(ProxyWithoutServiceDiscoveryTest.class);
-
- private final String TLS_TRUST_CERT_FILE_PATH = "./src/test/resources/authentication/tls/cacert.pem";
- private final String TLS_SERVER_CERT_FILE_PATH = "./src/test/resources/authentication/tls/server-cert.pem";
- private final String TLS_SERVER_KEY_FILE_PATH = "./src/test/resources/authentication/tls/server-key.pem";
- private final String TLS_CLIENT_CERT_FILE_PATH = "./src/test/resources/authentication/tls/client-cert.pem";
- private final String TLS_CLIENT_KEY_FILE_PATH = "./src/test/resources/authentication/tls/client-key.pem";
-
private ProxyService proxyService;
private ProxyConfiguration proxyConfig = new ProxyConfiguration();
@@ -73,22 +66,27 @@ public class ProxyWithoutServiceDiscoveryTest extends ProducerConsumerBase {
// enable tls and auth&auth at broker
conf.setAuthenticationEnabled(true);
- conf.setAuthorizationEnabled(false);
+ conf.setAuthorizationEnabled(true);
conf.setBrokerServicePortTls(Optional.of(0));
conf.setWebServicePortTls(Optional.of(0));
- conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
- conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
- conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
- conf.setTlsAllowInsecureConnection(true);
+ conf.setTlsTrustCertsFilePath(CA_CERT_FILE_PATH);
+ conf.setTlsCertificateFilePath(BROKER_CERT_FILE_PATH);
+ conf.setTlsKeyFilePath(BROKER_KEY_FILE_PATH);
Set<String> superUserRoles = new HashSet<>();
- superUserRoles.add("superUser");
+ superUserRoles.add("admin");
+ superUserRoles.add("superproxy");
conf.setSuperUserRoles(superUserRoles);
+ Set<String> proxyRoles = new HashSet<>();
+ proxyRoles.add("superproxy");
+ conf.setProxyRoles(proxyRoles);
+
+ conf.setBrokerClientTlsEnabled(true);
conf.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName());
- conf.setBrokerClientAuthenticationParameters(
- "tlsCertFile:" + TLS_CLIENT_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_SERVER_KEY_FILE_PATH);
+ conf.setBrokerClientAuthenticationParameters(String.format("tlsCertFile:%s,tlsKeyFile:%s",
+ getTlsFileForClient("admin.cert"), getTlsFileForClient("admin.key-pk8")));
Set<String> providers = new HashSet<>();
providers.add(AuthenticationProviderTls.class.getName());
@@ -113,14 +111,14 @@ public class ProxyWithoutServiceDiscoveryTest extends ProducerConsumerBase {
proxyConfig.setTlsEnabledWithBroker(true);
// enable tls and auth&auth at proxy
- proxyConfig.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
- proxyConfig.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
- proxyConfig.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
+ proxyConfig.setTlsCertificateFilePath(PROXY_CERT_FILE_PATH);
+ proxyConfig.setTlsKeyFilePath(PROXY_KEY_FILE_PATH);
+ proxyConfig.setTlsTrustCertsFilePath(CA_CERT_FILE_PATH);
proxyConfig.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName());
- proxyConfig.setBrokerClientAuthenticationParameters(
- "tlsCertFile:" + TLS_CLIENT_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_CLIENT_KEY_FILE_PATH);
- proxyConfig.setBrokerClientTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
+ proxyConfig.setBrokerClientAuthenticationParameters(String.format("tlsCertFile:%s,tlsKeyFile:%s",
+ getTlsFileForClient("superproxy.cert"), getTlsFileForClient("superproxy.key-pk8")));
+ proxyConfig.setBrokerClientTrustCertsFilePath(CA_CERT_FILE_PATH);
proxyConfig.setAuthenticationProviders(providers);
@@ -140,7 +138,7 @@ public class ProxyWithoutServiceDiscoveryTest extends ProducerConsumerBase {
/**
* <pre>
- * It verifies e2e tls + Authentication + Authorization (client -> proxy -> broker>
+ * It verifies e2e tls + Authentication + Authorization (client -> proxy -> broker)
*
* 1. client connects to proxy over tls and pass auth-data
* 2. proxy authenticate client and retrieve client-role
@@ -157,8 +155,8 @@ public class ProxyWithoutServiceDiscoveryTest extends ProducerConsumerBase {
log.info("-- Starting {} test --", methodName);
Map<String, String> authParams = Maps.newHashMap();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
Authentication authTls = new AuthenticationTls();
authTls.configure(authParams);
// create a client which connects to proxy over tls and pass authData
@@ -201,10 +199,10 @@ public class ProxyWithoutServiceDiscoveryTest extends ProducerConsumerBase {
}
protected final PulsarClient createPulsarClient(Authentication auth, String lookupUrl) throws Exception {
- admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString()).tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
- .allowTlsInsecureConnection(true).authentication(auth).build());
+ admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString()).tlsTrustCertsFilePath(CA_CERT_FILE_PATH)
+ .authentication(auth).build());
return PulsarClient.builder().serviceUrl(lookupUrl).statsInterval(0, TimeUnit.SECONDS)
- .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true).authentication(auth)
+ .tlsTrustCertsFilePath(CA_CERT_FILE_PATH).authentication(auth)
.enableTls(true).build();
}