src/main/java/org/onap/dmaap/kafkaAuthorize/KafkaCustomAuthorizer.java

   1 /*******************************************************************************
   2  *  ============LICENSE_START=======================================================
   3  *  org.onap.dmaap
   4  *  ================================================================================
   5  *  Copyright © 2017 AT&T Intellectual Property. All rights reserved.
   6  *  ================================================================================
   7  *  Licensed under the Apache License, Version 2.0 (the "License");
   8  *  you may not use this file except in compliance with the License.
   9  *  You may obtain a copy of the License at
  10  *        http://www.apache.org/licenses/LICENSE-2.0
  11 *
  12  *  Unless required by applicable law or agreed to in writing, software
  13  *  distributed under the License is distributed on an "AS IS" BASIS,
  14  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  15  *  See the License for the specific language governing permissions and
  16  *  limitations under the License.
  17  *  ============LICENSE_END=========================================================
  18  *
  19  *
  20  *******************************************************************************/
  21 package org.onap.dmaap.kafkaAuthorize;
  22
  23 import java.util.Map;
  24
  25 import org.apache.kafka.common.security.auth.KafkaPrincipal;
  26 import org.slf4j.Logger;
  27 import org.slf4j.LoggerFactory;
  28
  29 import org.onap.aaf.cadi.PropAccess;
  30 import org.onap.dmaap.commonauth.kafka.base.authorization.AuthorizationProviderFactory;
  31 import kafka.network.RequestChannel.Session;
  32 import kafka.security.auth.Acl;
  33 import kafka.security.auth.Authorizer;
  34 import kafka.security.auth.Operation;
  35 import kafka.security.auth.Resource;
  36 import scala.collection.immutable.Set;
  37
  38 /**
  39  * A trivial Kafka Authorizer for use with SSL and AAF
  40  * Authentication/Authorization.
  41  *
  42  */
  43 public class KafkaCustomAuthorizer implements Authorizer {
  44         private PropAccess access;
  45         private static final Logger logger = LoggerFactory.getLogger(KafkaCustomAuthorizer.class);
  46
  47         // I'm assuming this is called BEFORE any usage...
  48         @Override
  49         public void configure(final Map<String, ?> arg0) {
  50                 // TODO Auto-generate method stub
  51         }
  52
  53         @Override
  54         public void addAcls(final Set<Acl> arg0, final Resource arg1) {
  55                 // TODO Auto-generated method stub
  56
  57         }
  58
  59         @Override
  60         public boolean authorize(final Session arg0, final Operation arg1, final Resource arg2) {
  61                 if (arg0.principal() == null) {
  62                         return false;
  63                 }
  64
  65                 String fullName = arg0.principal().getName();
  66                 fullName = fullName != null ? fullName.trim() : fullName;
  67                 String topicName = null;
  68                 String namspace = null;
  69                 String ins = null;
  70                 String type = null;
  71                 String action = null;
  72
  73                 String kafkaactivity = arg1.name();
  74
  75                 if (kafkaactivity.equals("Read")) {
  76                         action = "sub";
  77                 } else if (kafkaactivity.equals("Write")) {
  78                         action = "pub";
  79                 } else if (kafkaactivity.equals("Create")) {
  80                         action = "create";
  81                 } else {
  82                         return true;
  83                 }
  84
  85                 if (arg2.resourceType().name().equals("Topic")) {
  86                         topicName = arg2.name();
  87                 } else {
  88                         return true;
  89                 }
  90
  91                 try {
  92
  93                         if (null != topicName && topicName.indexOf(".") > 0) {
  94
  95                                 if (action.equals("create")) {
  96                                         String instancePart = (System.getenv("msgRtr.topicfactory.aaf") != null)
  97                                                         ? System.getenv("msgRtr.topicfactory.aaf")
  98                                                         : "org.onap.dmaap.mr.topicFactory|:org.onap.dmaap.mr.topic:";
  99                                         String[] instandType = (instancePart + namspace + "|create").split("|");
 100                                         ins = instandType[0];
 101                                         type = instandType[1];
 102                                 } else if (action.equals("pub") || action.equals("sub")) {
 103                                         namspace = topicName.substring(0, topicName.lastIndexOf("."));
 104                                         String instancePart = (System.getenv("pubSubInstPart") != null) ? System.getenv("pubSubInstPart")
 105                                                         : ".topic";
 106                                         ins = namspace + instancePart;
 107                                         type = ":topic." + topicName;
 108                                 }
 109                                 logger.info("^Event Received for topic " + topicName + " , User " + fullName + " , action = " + action);
 110                         }
 111
 112                         if (null != fullName && fullName.equals("admin")) {
 113                                 return true;
 114                         }
 115
 116                         if (null != topicName) {
 117                                 boolean hasResp = AuthorizationProviderFactory.getProviderFactory().getProvider()
 118                                                 .hasPermission(fullName, ins, type, action);
 119                                 if (hasResp) {
 120                                         logger.info("Successful Authorization for " + fullName + " on " + topicName + " for " + ins + "|"
 121                                                         + type + "|" + action);
 122                                 }
 123                                 if (!hasResp) {
 124                                         logger.info(fullName + " is not allowed in " + ins + "|" + type + "|" + action);
 125                                         return false;
 126                                 }
 127                         }
 128                 } catch (final Exception e) {
 129                         return false;
 130                 }
 131                 return true;
 132         }
 133
 134         @Override
 135         public void close() {
 136                 // TODO Auto-generated method stub
 137
 138         }
 139
 140         @Override
 141         public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
 142                 // TODO Auto-generated method stub
 143                 return null;
 144         }
 145
 146         @Override
 147         public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(final KafkaPrincipal arg0) {
 148                 // TODO Auto-generated method stub
 149                 return null;
 150         }
 151
 152         @Override
 153         public boolean removeAcls(final Resource arg0) {
 154                 // TODO Auto-generated method stub
 155                 return false;
 156         }
 157
 158         @Override
 159         public boolean removeAcls(final Set<Acl> arg0, final Resource arg1) {
 160                 // TODO Auto-generated method stub
 161                 return false;
 162         }
 163
 164         public Set<Acl> getAcls(Resource arg0) {
 165                 // TODO Auto-generated method stub
 166                 return null;
 167         }
 168 }