pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationManager.java - pulsar - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.pulsar.broker.authorization;

 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.CompletableFuture;
 import static java.util.concurrent.TimeUnit.SECONDS;
 import static org.apache.pulsar.zookeeper.ZooKeeperCache.cacheTimeOutInSec;

 import org.apache.pulsar.broker.ServiceConfiguration;
 import org.apache.pulsar.broker.cache.ConfigurationCacheService;
 import org.apache.pulsar.common.naming.DestinationName;
 import org.apache.pulsar.common.policies.data.AuthAction;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 /**
  */
 public class AuthorizationManager {
     private static final Logger log = LoggerFactory.getLogger(AuthorizationManager.class);

     public final ServiceConfiguration conf;
     public final ConfigurationCacheService configCache;
     private static final String POLICY_ROOT = "/admin/policies/";

     public AuthorizationManager(ServiceConfiguration conf, ConfigurationCacheService configCache) {
         this.conf = conf;
         this.configCache = configCache;
     }

     /**
      * Check if the specified role has permission to send messages to the specified fully qualified destination name.
      *
      * @param destination
      *            the fully qualified destination name associated with the destination.
      * @param role
      *            the app id used to send messages to the destination.
      */
     public CompletableFuture<Boolean> canProduceAsync(DestinationName destination, String role) {
         return checkAuthorization(destination, role, AuthAction.produce);
     }

     public boolean canProduce(DestinationName destination, String role) throws Exception {
         try {
             return canProduceAsync(destination, role).get(cacheTimeOutInSec, SECONDS);
         } catch (InterruptedException e) {
             log.warn("Time-out {} sec while checking authorization on {} ", cacheTimeOutInSec, destination);
             throw e;
         } catch (Exception e) {
             log.warn("Producer-client  with Role - {} failed to get permissions for destination - {}", role,
                     destination, e);
             throw e;
         }
     }

     /**
      * Check if the specified role has permission to receive messages from the specified fully qualified destination
      * name.
      *
      * @param destination
      *            the fully qualified destination name associated with the destination.
      * @param role
      *            the app id used to receive messages from the destination.
      */
     public CompletableFuture<Boolean> canConsumeAsync(DestinationName destination, String role) {
         return checkAuthorization(destination, role, AuthAction.consume);
     }

     public boolean canConsume(DestinationName destination, String role) throws Exception {
         try {
             return canConsumeAsync(destination, role).get(cacheTimeOutInSec, SECONDS);
         } catch (InterruptedException e) {
             log.warn("Time-out {} sec while checking authorization on {} ", cacheTimeOutInSec, destination);
             throw e;
         } catch (Exception e) {
             log.warn("Consumer-client  with Role - {} failed to get permissions for destination - {}", role,
                     destination, e);
             throw e;
         }
     }

     /**
      * Check whether the specified role can perform a lookup for the specified destination.
      *
      * For that the caller needs to have producer or consumer permission.
      *
      * @param destination
      * @param role
      * @return
      * @throws Exception
      */
     public boolean canLookup(DestinationName destination, String role) throws Exception {
         return canProduce(destination, role) || canConsume(destination, role);
     }

     private CompletableFuture<Boolean> checkAuthorization(DestinationName destination, String role,
             AuthAction action) {
         if (isSuperUser(role)) {
             return CompletableFuture.completedFuture(true);
         } else {
             return checkPermission(destination, role, action)
                     .thenApply(isPermission -> isPermission && checkCluster(destination));
         }
     }

     private boolean checkCluster(DestinationName destination) {
         if (destination.isGlobal() || conf.getClusterName().equals(destination.getCluster())) {
             return true;
         } else {
             if (log.isDebugEnabled()) {
                 log.debug("Destination [{}] does not belong to local cluster [{}]", destination.toString(),
                         conf.getClusterName());
             }
             return false;
         }
     }

     public CompletableFuture<Boolean> checkPermission(DestinationName destination, String role, AuthAction action) {
         CompletableFuture<Boolean> permissionFuture = new CompletableFuture<>();
         try {
             configCache.policiesCache().getAsync(POLICY_ROOT + destination.getNamespace()).thenAccept(policies -> {
                 if (!policies.isPresent()) {
                     if (log.isDebugEnabled()) {
                         log.debug("Policies node couldn't be found for destination : {}", destination);
                     }
                 } else {
                     Map<String, Set<AuthAction>> namespaceRoles = policies.get().auth_policies.namespace_auth;
                     Set<AuthAction> namespaceActions = namespaceRoles.get(role);
                     if (namespaceActions != null && namespaceActions.contains(action)) {
                         // The role has namespace level permission
                         permissionFuture.complete(true);
                         return;
                     }

                     Map<String, Set<AuthAction>> destinationRoles = policies.get().auth_policies.destination_auth
                             .get(destination.toString());
                     if (destinationRoles != null) {
                         // Destination has custom policy
                         Set<AuthAction> destinationActions = destinationRoles.get(role);
                         if (destinationActions != null && destinationActions.contains(action)) {
                             // The role has destination level permission
                             permissionFuture.complete(true);
                             return;
                         }
                     }

                     // Using wildcard
                     if (conf.getAuthorizationAllowWildcardsMatching()) {
                         if (checkWildcardPermission(role, action, namespaceRoles)) {
                             // The role has namespace level permission by wildcard match
                             permissionFuture.complete(true);
                             return;
                         }

                         if (destinationRoles != null && checkWildcardPermission(role, action, destinationRoles)) {
                             // The role has destination level permission by wildcard match
                             permissionFuture.complete(true);
                             return;
                         }
                     }
                 }
                 permissionFuture.complete(false);
             }).exceptionally(ex -> {
                 log.warn("Client  with Role - {} failed to get permissions for destination - {}", role, destination,
                         ex);
                 permissionFuture.completeExceptionally(ex);
                 return null;
             });
         } catch (Exception e) {
             log.warn("Client  with Role - {} failed to get permissions for destination - {}", role, destination, e);
             permissionFuture.completeExceptionally(e);
         }
         return permissionFuture;
     }

     private boolean checkWildcardPermission(String checkedRole, AuthAction checkedAction,
             Map<String, Set<AuthAction>> permissionMap) {
         for (Map.Entry<String, Set<AuthAction>> permissionData : permissionMap.entrySet()) {
             String permittedRole = permissionData.getKey();
             Set<AuthAction> permittedActions = permissionData.getValue();

             // Prefix match
             if (permittedRole.charAt(permittedRole.length() - 1) == '*'
                     && checkedRole.startsWith(permittedRole.substring(0, permittedRole.length() - 1))
                     && permittedActions.contains(checkedAction)) {
                 return true;
             }

             // Suffix match
             if (permittedRole.charAt(0) == '*'
                     && checkedRole.endsWith(permittedRole.substring(1))
                     && permittedActions.contains(checkedAction)) {
                 return true;
             }
         }
         return false;
     }

     /**
      * Super user roles are allowed to do anything, used for replication primarily
      *
      * @param role
      *            the app id used to receive messages from the destination.
      */
     public boolean isSuperUser(String role) {
         Set<String> superUserRoles = conf.getSuperUserRoles();
         return role != null && superUserRoles.contains(role) ? true : false;
     }

 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.pulsar.broker.authorization;

	import java.util.Map;
	import java.util.Set;
	import java.util.concurrent.CompletableFuture;
	import static java.util.concurrent.TimeUnit.SECONDS;
	import static org.apache.pulsar.zookeeper.ZooKeeperCache.cacheTimeOutInSec;

	import org.apache.pulsar.broker.ServiceConfiguration;
	import org.apache.pulsar.broker.cache.ConfigurationCacheService;
	import org.apache.pulsar.common.naming.DestinationName;
	import org.apache.pulsar.common.policies.data.AuthAction;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	/**
	*/
	public class AuthorizationManager {
	private static final Logger log = LoggerFactory.getLogger(AuthorizationManager.class);

	public final ServiceConfiguration conf;
	public final ConfigurationCacheService configCache;
	private static final String POLICY_ROOT = "/admin/policies/";

	public AuthorizationManager(ServiceConfiguration conf, ConfigurationCacheService configCache) {
	this.conf = conf;
	this.configCache = configCache;
	}

	/**
	* Check if the specified role has permission to send messages to the specified fully qualified destination name.
	*
	* @param destination
	* the fully qualified destination name associated with the destination.
	* @param role
	* the app id used to send messages to the destination.
	*/
	public CompletableFuture<Boolean> canProduceAsync(DestinationName destination, String role) {
	return checkAuthorization(destination, role, AuthAction.produce);
	}

	public boolean canProduce(DestinationName destination, String role) throws Exception {
	try {
	return canProduceAsync(destination, role).get(cacheTimeOutInSec, SECONDS);
	} catch (InterruptedException e) {
	log.warn("Time-out {} sec while checking authorization on {} ", cacheTimeOutInSec, destination);
	throw e;
	} catch (Exception e) {
	log.warn("Producer-client with Role - {} failed to get permissions for destination - {}", role,
	destination, e);
	throw e;
	}
	}

	/**
	* Check if the specified role has permission to receive messages from the specified fully qualified destination
	* name.
	*
	* @param destination
	* the fully qualified destination name associated with the destination.
	* @param role
	* the app id used to receive messages from the destination.
	*/
	public CompletableFuture<Boolean> canConsumeAsync(DestinationName destination, String role) {
	return checkAuthorization(destination, role, AuthAction.consume);
	}

	public boolean canConsume(DestinationName destination, String role) throws Exception {
	try {
	return canConsumeAsync(destination, role).get(cacheTimeOutInSec, SECONDS);
	} catch (InterruptedException e) {
	log.warn("Time-out {} sec while checking authorization on {} ", cacheTimeOutInSec, destination);
	throw e;
	} catch (Exception e) {
	log.warn("Consumer-client with Role - {} failed to get permissions for destination - {}", role,
	destination, e);
	throw e;
	}
	}

	/**
	* Check whether the specified role can perform a lookup for the specified destination.
	*
	* For that the caller needs to have producer or consumer permission.
	*
	* @param destination
	* @param role
	* @return
	* @throws Exception
	*/
	public boolean canLookup(DestinationName destination, String role) throws Exception {
	return canProduce(destination, role) \|\| canConsume(destination, role);
	}

	private CompletableFuture<Boolean> checkAuthorization(DestinationName destination, String role,
	AuthAction action) {
	if (isSuperUser(role)) {
	return CompletableFuture.completedFuture(true);
	} else {
	return checkPermission(destination, role, action)
	.thenApply(isPermission -> isPermission && checkCluster(destination));
	}
	}

	private boolean checkCluster(DestinationName destination) {
	if (destination.isGlobal() \|\| conf.getClusterName().equals(destination.getCluster())) {
	return true;
	} else {
	if (log.isDebugEnabled()) {
	log.debug("Destination [{}] does not belong to local cluster [{}]", destination.toString(),
	conf.getClusterName());
	}
	return false;
	}
	}

	public CompletableFuture<Boolean> checkPermission(DestinationName destination, String role, AuthAction action) {
	CompletableFuture<Boolean> permissionFuture = new CompletableFuture<>();
	try {
	configCache.policiesCache().getAsync(POLICY_ROOT + destination.getNamespace()).thenAccept(policies -> {
	if (!policies.isPresent()) {
	if (log.isDebugEnabled()) {
	log.debug("Policies node couldn't be found for destination : {}", destination);
	}
	} else {
	Map<String, Set<AuthAction>> namespaceRoles = policies.get().auth_policies.namespace_auth;
	Set<AuthAction> namespaceActions = namespaceRoles.get(role);
	if (namespaceActions != null && namespaceActions.contains(action)) {
	// The role has namespace level permission
	permissionFuture.complete(true);
	return;
	}

	Map<String, Set<AuthAction>> destinationRoles = policies.get().auth_policies.destination_auth
	.get(destination.toString());
	if (destinationRoles != null) {
	// Destination has custom policy
	Set<AuthAction> destinationActions = destinationRoles.get(role);
	if (destinationActions != null && destinationActions.contains(action)) {
	// The role has destination level permission
	permissionFuture.complete(true);
	return;
	}
	}

	// Using wildcard
	if (conf.getAuthorizationAllowWildcardsMatching()) {
	if (checkWildcardPermission(role, action, namespaceRoles)) {
	// The role has namespace level permission by wildcard match
	permissionFuture.complete(true);
	return;
	}

	if (destinationRoles != null && checkWildcardPermission(role, action, destinationRoles)) {
	// The role has destination level permission by wildcard match
	permissionFuture.complete(true);
	return;
	}
	}
	}
	permissionFuture.complete(false);
	}).exceptionally(ex -> {
	log.warn("Client with Role - {} failed to get permissions for destination - {}", role, destination,
	ex);
	permissionFuture.completeExceptionally(ex);
	return null;
	});
	} catch (Exception e) {
	log.warn("Client with Role - {} failed to get permissions for destination - {}", role, destination, e);
	permissionFuture.completeExceptionally(e);
	}
	return permissionFuture;
	}

	private boolean checkWildcardPermission(String checkedRole, AuthAction checkedAction,
	Map<String, Set<AuthAction>> permissionMap) {
	for (Map.Entry<String, Set<AuthAction>> permissionData : permissionMap.entrySet()) {
	String permittedRole = permissionData.getKey();
	Set<AuthAction> permittedActions = permissionData.getValue();

	// Prefix match
	if (permittedRole.charAt(permittedRole.length() - 1) == '*'
	&& checkedRole.startsWith(permittedRole.substring(0, permittedRole.length() - 1))
	&& permittedActions.contains(checkedAction)) {
	return true;
	}

	// Suffix match
	if (permittedRole.charAt(0) == '*'
	&& checkedRole.endsWith(permittedRole.substring(1))
	&& permittedActions.contains(checkedAction)) {
	return true;
	}
	}
	return false;
	}

	/**
	* Super user roles are allowed to do anything, used for replication primarily
	*
	* @param role
	* the app id used to receive messages from the destination.
	*/
	public boolean isSuperUser(String role) {
	Set<String> superUserRoles = conf.getSuperUserRoles();
	return role != null && superUserRoles.contains(role) ? true : false;
	}

	}