src/main/java/org/onap/dmaap/kafkaAuthorize/KafkaCustomAuthorizer.java

   1 /*******************************************************************************
   2  *  ============LICENSE_START=======================================================
   3  *  org.onap.dmaap
   4  *  ================================================================================
   5  *  Copyright © 2017 AT&T Intellectual Property. All rights reserved.
   6  *  ================================================================================
   7  *  Licensed under the Apache License, Version 2.0 (the "License");
   8  *  you may not use this file except in compliance with the License.
   9  *  You may obtain a copy of the License at
  10  *        http://www.apache.org/licenses/LICENSE-2.0
  11 *
  12  *  Unless required by applicable law or agreed to in writing, software
  13  *  distributed under the License is distributed on an "AS IS" BASIS,
  14  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  15  *  See the License for the specific language governing permissions and
  16  *  limitations under the License.
  17  *  ============LICENSE_END=========================================================
  18  *
  19  *
  20  *******************************************************************************/
  21 package org.onap.dmaap.kafkaAuthorize;
  22
  23 import java.util.Map;
  24
  25 import org.apache.kafka.common.security.auth.KafkaPrincipal;
  26 import org.slf4j.Logger;
  27 import org.slf4j.LoggerFactory;
  28
  29 import org.onap.aaf.cadi.PropAccess;
  30 import org.onap.dmaap.commonauth.kafka.base.authorization.AuthorizationProviderFactory;
  31 import kafka.network.RequestChannel.Session;
  32 import kafka.security.auth.Acl;
  33 import kafka.security.auth.Authorizer;
  34 import kafka.security.auth.Operation;
  35 import kafka.security.auth.Resource;
  36 import scala.collection.immutable.Set;
  37
  38 /**
  39  * A trivial Kafka Authorizer for use with SSL and AAF
  40  * Authentication/Authorization.
  41  *
  42  */
  43 public class KafkaCustomAuthorizer implements Authorizer {
  44         private PropAccess access;
  45         private static final Logger logger = LoggerFactory.getLogger(KafkaCustomAuthorizer.class);
  46
  47         // I'm assuming this is called BEFORE any usage...
  48         @Override
  49         public void configure(final Map<String, ?> arg0) {
  50                 // TODO Auto-generate method stub
  51         }
  52
  53         @Override
  54         public void addAcls(final Set<Acl> arg0, final Resource arg1) {
  55                 // TODO Auto-generated method stub
  56
  57         }
  58
  59         @Override
  60         public boolean authorize(final Session arg0, final Operation arg1, final Resource arg2) {
  61                 if (arg0.principal() == null) {
  62                         return false;
  63                 }
  64
  65                 String fullName = arg0.principal().getName();
  66                 fullName = fullName != null ? fullName.trim() : fullName;
  67                 String topicName = null;
  68                 String namspace = null;
  69                 String ins = null;
  70                 String type = null;
  71                 String action = null;
  72
  73                 String kafkaactivity = arg1.name();
  74
  75                 if (kafkaactivity.equals("Read")) {
  76                         action = "sub";
  77                 } else if (kafkaactivity.equals("Write")) {
  78                         action = "pub";
  79                 } else if (kafkaactivity.equals("Describe")) {
  80                         return true;
  81                 }
  82                 if (arg2.resourceType().name().equals("Topic")) {
  83                         topicName = arg2.name();
  84                 } else {
  85                         return true;
  86                 }
  87
  88                 try {
  89
  90                         if (null != topicName && topicName.indexOf(".") > 0) {
  91                                 namspace = topicName.substring(0, topicName.lastIndexOf("."));
  92                                 ins = namspace + ".topic";
  93                                 type = ":topic." + topicName;
  94                                 logger.info("^Event Received for topic " + topicName + " , User " + fullName + " , action = " + action);
  95                         }
  96
  97                         if (null != fullName && fullName.equals("admin")) {
  98                                 return true;
  99                         }
 100
 101                         if (null != topicName) {
 102                                 boolean hasResp = AuthorizationProviderFactory.getProviderFactory().getProvider()
 103                                                 .hasPermission(fullName, ins, type, action);
 104                                 if (hasResp) {
 105                                         logger.info("Successful Authorization for " + fullName + " on " + topicName + " for " + ins + "|"
 106                                                         + type + "|" + action);
 107                                 }
 108                                 if (!hasResp) {
 109                                         logger.info(fullName + " is not allowed in " + ins + "|" + type + "|" + action);
 110                                         throw new Exception(fullName + " is not allowed in " + ins + "|" + type + "|" + action);
 111                                 }
 112                         }
 113                 } catch (final Exception e) {
 114                         return false;
 115                 }
 116                 return true;
 117         }
 118
 119         @Override
 120         public void close() {
 121                 // TODO Auto-generated method stub
 122
 123         }
 124
 125         @Override
 126         public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
 127                 // TODO Auto-generated method stub
 128                 return null;
 129         }
 130
 131         @Override
 132         public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(final KafkaPrincipal arg0) {
 133                 // TODO Auto-generated method stub
 134                 return null;
 135         }
 136
 137         @Override
 138         public boolean removeAcls(final Resource arg0) {
 139                 // TODO Auto-generated method stub
 140                 return false;
 141         }
 142
 143         @Override
 144         public boolean removeAcls(final Set<Acl> arg0, final Resource arg1) {
 145                 // TODO Auto-generated method stub
 146                 return false;
 147         }
 148
 149         public Set<Acl> getAcls(Resource arg0) {
 150                 // TODO Auto-generated method stub
 151                 return null;
 152         }
 153 }