From 7b2a14c0d7faaca16f46d2c10cca89080ef66d1d Mon Sep 17 00:00:00 2001 From: Michael Marshall Date: Wed, 15 Feb 2023 23:05:03 -0600 Subject: [PATCH] [improve][broker] Require authRole is proxyRole to set originalPrincipal (#19455) Co-authored-by: Lari Hotari (cherry picked from commit aa63a5567a9e5d466b311a54d5dcc2cb05c2b5cd) --- .../authorization/AuthorizationService.java | 67 ++++++++++++------ .../admin/impl/PersistentTopicsBase.java | 2 +- .../pulsar/broker/service/ServerCnx.java | 31 +------- .../pulsar/broker/web/PulsarWebResource.java | 27 +++---- .../pulsar/broker/auth/AuthorizationTest.java | 41 ++++++++++- .../pulsar/broker/service/ServerCnxTest.java | 4 ++ .../impl/AdminApiKeyStoreTlsAuthTest.java | 22 +++--- .../pulsar/client/impl/KeyStoreTlsTest.java | 8 +-- .../keystoretls/broker.keystore.jks | Bin 3723 -> 2254 bytes .../keystoretls/broker.truststore.jks | Bin 838 -> 969 bytes .../broker.truststore.nopassword.jks | Bin 0 -> 969 bytes .../keystoretls/client.keystore.jks | Bin 3726 -> 2257 bytes .../keystoretls/client.truststore.jks | Bin 838 -> 971 bytes .../client.truststore.nopassword.jks | Bin 0 -> 971 bytes .../proxy-and-client.truststore.jks | Bin 0 -> 1891 bytes .../keystoretls/proxy.keystore.jks | Bin 0 -> 2245 bytes .../keystoretls/proxy.truststore.jks | Bin 0 -> 971 bytes ...roxyAuthenticatedProducerConsumerTest.java | 44 ++++++++---- .../server/ProxyWithAuthorizationNegTest.java | 2 + .../server/ProxyWithJwtAuthorizationTest.java | 13 ++-- 20 files changed, 160 insertions(+), 101 deletions(-) create mode 100644 pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.nopassword.jks create mode 100644 pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.nopassword.jks create mode 100644 pulsar-broker/src/test/resources/authentication/keystoretls/proxy-and-client.truststore.jks create mode 100644 pulsar-broker/src/test/resources/authentication/keystoretls/proxy.keystore.jks create mode 100644 pulsar-broker/src/test/resources/authentication/keystoretls/proxy.truststore.jks diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java index 3baaf57990a9a6..05f146e8953888 100644 --- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java +++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java @@ -19,10 +19,10 @@ package org.apache.pulsar.broker.authorization; import static java.util.concurrent.TimeUnit.SECONDS; +import java.net.SocketAddress; import java.util.Set; import java.util.concurrent.CompletableFuture; import java.util.concurrent.ExecutionException; -import javax.ws.rs.core.Response; import org.apache.commons.lang3.StringUtils; import org.apache.pulsar.broker.PulsarServerException; import org.apache.pulsar.broker.ServiceConfiguration; @@ -37,7 +37,6 @@ import org.apache.pulsar.common.policies.data.TenantInfo; import org.apache.pulsar.common.policies.data.TenantOperation; import org.apache.pulsar.common.policies.data.TopicOperation; -import org.apache.pulsar.common.util.FutureUtil; import org.apache.pulsar.common.util.RestException; import org.apache.pulsar.metadata.api.MetadataStoreException; import org.slf4j.Logger; @@ -293,19 +292,39 @@ public CompletableFuture allowSinkOpsAsync(NamespaceName namespaceName, return provider.allowSinkOpsAsync(namespaceName, role, authenticationData); } - private static void validateOriginalPrincipal(Set proxyRoles, String authenticatedPrincipal, - String originalPrincipal) { - if (proxyRoles.contains(authenticatedPrincipal)) { - // Request has come from a proxy + public boolean isValidOriginalPrincipal(String authenticatedPrincipal, + String originalPrincipal, + AuthenticationDataSource authDataSource) { + SocketAddress remoteAddress = authDataSource != null ? authDataSource.getPeerAddress() : null; + return isValidOriginalPrincipal(authenticatedPrincipal, originalPrincipal, remoteAddress); + } + + /** + * Validates that the authenticatedPrincipal and the originalPrincipal are a valid combination. + * Valid combinations fulfill the following rule: the authenticatedPrincipal is in + * {@link ServiceConfiguration#getProxyRoles()}, if, and only if, the originalPrincipal is set to a role + * that is not also in {@link ServiceConfiguration#getProxyRoles()}. + * @return true when roles are a valid combination and false when roles are an invalid combination + */ + public boolean isValidOriginalPrincipal(String authenticatedPrincipal, + String originalPrincipal, + SocketAddress remoteAddress) { + String errorMsg = null; + if (conf.getProxyRoles().contains(authenticatedPrincipal)) { if (StringUtils.isBlank(originalPrincipal)) { - log.warn("Original principal empty in request authenticated as {}", authenticatedPrincipal); - throw new RestException(Response.Status.UNAUTHORIZED, "Original principal cannot be empty if the " - + "request is via proxy."); - } - if (proxyRoles.contains(originalPrincipal)) { - log.warn("Original principal {} cannot be a proxy role ({})", originalPrincipal, proxyRoles); - throw new RestException(Response.Status.UNAUTHORIZED, "Original principal cannot be a proxy role"); + errorMsg = "originalPrincipal must be provided when connecting with a proxy role."; + } else if (conf.getProxyRoles().contains(originalPrincipal)) { + errorMsg = "originalPrincipal cannot be a proxy role."; } + } else if (StringUtils.isNotBlank(originalPrincipal)) { + errorMsg = "cannot specify originalPrincipal when connecting without valid proxy role."; + } + if (errorMsg != null) { + log.warn("[{}] Illegal combination of role [{}] and originalPrincipal [{}]: {}", remoteAddress, + authenticatedPrincipal, originalPrincipal, errorMsg); + return false; + } else { + return true; } } @@ -340,7 +359,9 @@ public CompletableFuture allowTenantOperationAsync(String tenantName, String originalRole, String role, AuthenticationDataSource authData) { - validateOriginalPrincipal(conf.getProxyRoles(), role, originalRole); + if (!isValidOriginalPrincipal(role, originalRole, authData)) { + return CompletableFuture.completedFuture(false); + } if (isProxyRole(role)) { CompletableFuture isRoleAuthorizedFuture = allowTenantOperationAsync( tenantName, operation, role, authData); @@ -396,7 +417,9 @@ public CompletableFuture allowNamespaceOperationAsync(NamespaceName nam String originalRole, String role, AuthenticationDataSource authData) { - validateOriginalPrincipal(conf.getProxyRoles(), role, originalRole); + if (!isValidOriginalPrincipal(role, originalRole, authData)) { + return CompletableFuture.completedFuture(false); + } if (isProxyRole(role)) { CompletableFuture isRoleAuthorizedFuture = allowNamespaceOperationAsync( namespaceName, operation, role, authData); @@ -438,7 +461,9 @@ public CompletableFuture allowNamespacePolicyOperationAsync(NamespaceNa String originalRole, String role, AuthenticationDataSource authData) { - validateOriginalPrincipal(conf.getProxyRoles(), role, originalRole); + if (!isValidOriginalPrincipal(role, originalRole, authData)) { + return CompletableFuture.completedFuture(false); + } if (isProxyRole(role)) { CompletableFuture isRoleAuthorizedFuture = allowNamespacePolicyOperationAsync( namespaceName, policy, operation, role, authData); @@ -495,10 +520,8 @@ public CompletableFuture allowTopicPolicyOperationAsync(TopicName topic String originalRole, String role, AuthenticationDataSource authData) { - try { - validateOriginalPrincipal(conf.getProxyRoles(), role, originalRole); - } catch (RestException e) { - return FutureUtil.failedFuture(e); + if (!isValidOriginalPrincipal(role, originalRole, authData)) { + return CompletableFuture.completedFuture(false); } if (isProxyRole(role)) { CompletableFuture isRoleAuthorizedFuture = allowTopicPolicyOperationAsync( @@ -582,7 +605,9 @@ public CompletableFuture allowTopicOperationAsync(TopicName topicName, String originalRole, String role, AuthenticationDataSource authData) { - validateOriginalPrincipal(conf.getProxyRoles(), role, originalRole); + if (!isValidOriginalPrincipal(role, originalRole, authData)) { + return CompletableFuture.completedFuture(false); + } if (isProxyRole(role)) { CompletableFuture isRoleAuthorizedFuture = allowTopicOperationAsync( topicName, operation, role, authData); diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java index 1ed27d4a757e10..bd55067b563a90 100644 --- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java +++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java @@ -3991,7 +3991,7 @@ protected void internalOffloadStatus(AsyncResponse asyncResponse, boolean author }); } - public static CompletableFuture getPartitionedTopicMetadata( + public CompletableFuture getPartitionedTopicMetadata( PulsarService pulsar, String clientAppId, String originalPrincipal, AuthenticationDataSource authenticationData, TopicName topicName) { CompletableFuture metadataFuture = new CompletableFuture<>(); diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java index 899bdd496268da..1e7ccfb298a653 100644 --- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java +++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java @@ -188,7 +188,6 @@ public class ServerCnx extends PulsarHandler implements TransportCnx { private int nonPersistentPendingMessages = 0; private final int maxNonPersistentPendingMessages; private String originalPrincipal = null; - private Set proxyRoles; private boolean authenticateOriginalAuthData; private final boolean schemaValidationEnforced; private String authMethod = "none"; @@ -261,7 +260,6 @@ public ServerCnx(PulsarService pulsar, String listenerName) { this.recentlyClosedProducers = new HashMap<>(); this.replicatorPrefix = conf.getReplicatorPrefix(); this.maxNonPersistentPendingMessages = conf.getMaxConcurrentNonPersistentMessagePerConnection(); - this.proxyRoles = conf.getProxyRoles(); this.authenticateOriginalAuthData = conf.isAuthenticateOriginalAuthData(); this.schemaValidationEnforced = conf.isSchemaValidationEnforced(); this.maxMessageSize = conf.getMaxMessageSize(); @@ -367,32 +365,6 @@ public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws E ctx.close(); } - /** - * When transitioning from Connecting to Connected, this method validates the roles. - * If the authRole is one of proxyRoles, the following must be true: - * - the originalPrincipal is given while connecting - * - originalPrincipal is not blank - * - originalPrincipal is not a proxy principal. - * @return true when roles are valid and false when roles are invalid - */ - private boolean isValidRoleAndOriginalPrincipal() { - String errorMsg = null; - if (proxyRoles.contains(authRole)) { - if (StringUtils.isBlank(originalPrincipal)) { - errorMsg = "originalPrincipal must be provided when connecting with a proxy role."; - } else if (proxyRoles.contains(originalPrincipal)) { - errorMsg = "originalPrincipal cannot be a proxy role."; - } - } - if (errorMsg != null) { - log.warn("[{}] Illegal combination of role [{}] and originalPrincipal [{}]: {}", remoteAddress, authRole, - originalPrincipal, errorMsg); - return false; - } else { - return true; - } - } - // //// // // Incoming commands handling // //// @@ -685,7 +657,8 @@ private void doAuthentication(AuthData clientData, if (state != State.Connected) { // First time authentication is done if (service.isAuthenticationEnabled() && service.isAuthorizationEnabled()) { - if (!isValidRoleAndOriginalPrincipal()) { + if (!service.getAuthorizationService() + .isValidOriginalPrincipal(this.authRole, originalPrincipal, remoteAddress)) { state = State.Failed; service.getPulsarStats().recordConnectionCreateFail(); final ByteBuf msg = Commands.newError(-1, ServerError.AuthorizationError, "Invalid roles."); diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java index 39211aca7ad9a1..67904b5ff563ad 100644 --- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java +++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java @@ -149,19 +149,11 @@ public static boolean isClientAuthenticated(String appId) { return appId != null; } - private static void validateOriginalPrincipal(Set proxyRoles, String authenticatedPrincipal, - String originalPrincipal) { - if (proxyRoles.contains(authenticatedPrincipal)) { - // Request has come from a proxy - if (StringUtils.isBlank(originalPrincipal)) { - log.warn("Original principal empty in request authenticated as {}", authenticatedPrincipal); - throw new RestException(Status.UNAUTHORIZED, - "Original principal cannot be empty if the request is via proxy."); - } - if (proxyRoles.contains(originalPrincipal)) { - log.warn("Original principal {} cannot be a proxy role ({})", originalPrincipal, proxyRoles); - throw new RestException(Status.UNAUTHORIZED, "Original principal cannot be a proxy role"); - } + private void validateOriginalPrincipal(String authenticatedPrincipal, String originalPrincipal) { + if (!pulsar.getBrokerService().getAuthorizationService() + .isValidOriginalPrincipal(authenticatedPrincipal, originalPrincipal, clientAuthData())) { + throw new RestException(Status.UNAUTHORIZED, + "Invalid combination of Original principal cannot be empty if the request is via proxy."); } } @@ -184,7 +176,7 @@ public CompletableFuture validateSuperUserAccessAsync(){ isClientAuthenticated(appId), appId); } String originalPrincipal = originalPrincipal(); - validateOriginalPrincipal(pulsar.getConfiguration().getProxyRoles(), appId, originalPrincipal); + validateOriginalPrincipal(appId, originalPrincipal); if (pulsar.getConfiguration().getProxyRoles().contains(appId)) { BrokerService brokerService = pulsar.getBrokerService(); @@ -259,7 +251,7 @@ protected void validateAdminAccessForTenant(String tenant) { } } - protected static void validateAdminAccessForTenant(PulsarService pulsar, String clientAppId, + protected void validateAdminAccessForTenant(PulsarService pulsar, String clientAppId, String originalPrincipal, String tenant, AuthenticationDataSource authenticationData, long timeout, TimeUnit unit) { @@ -286,7 +278,7 @@ protected CompletableFuture validateAdminAccessForTenantAsync(String tenan clientAuthData()); } - protected static CompletableFuture validateAdminAccessForTenantAsync( + protected CompletableFuture validateAdminAccessForTenantAsync( PulsarService pulsar, String clientAppId, String originalPrincipal, String tenant, AuthenticationDataSource authenticationData) { @@ -305,8 +297,7 @@ protected static CompletableFuture validateAdminAccessForTenantAsync( if (!isClientAuthenticated(clientAppId)) { throw new RestException(Status.FORBIDDEN, "Need to authenticate to perform the request"); } - validateOriginalPrincipal(pulsar.getConfiguration().getProxyRoles(), clientAppId, - originalPrincipal); + validateOriginalPrincipal(clientAppId, originalPrincipal); if (pulsar.getConfiguration().getProxyRoles().contains(clientAppId)) { AuthorizationService authorizationService = pulsar.getBrokerService().getAuthorizationService(); diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/AuthorizationTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/AuthorizationTest.java index 39a91f72dc7423..ad69180b236dc0 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/AuthorizationTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/AuthorizationTest.java @@ -22,8 +22,14 @@ import static org.testng.Assert.assertFalse; import static org.testng.Assert.assertTrue; import static org.testng.Assert.fail; +import com.google.common.collect.Sets; +import java.net.SocketAddress; +import java.util.Collections; import java.util.EnumSet; +import org.apache.pulsar.broker.ServiceConfiguration; +import org.apache.pulsar.broker.authentication.AuthenticationDataSource; import org.apache.pulsar.broker.authorization.AuthorizationService; +import org.apache.pulsar.broker.resources.PulsarResources; import org.apache.pulsar.client.admin.PulsarAdmin; import org.apache.pulsar.client.admin.PulsarAdminBuilder; import org.apache.pulsar.common.naming.TopicDomain; @@ -32,11 +38,11 @@ import org.apache.pulsar.common.policies.data.ClusterData; import org.apache.pulsar.common.policies.data.TenantInfoImpl; import org.apache.pulsar.common.policies.data.SubscriptionAuthMode; +import org.mockito.Mockito; import org.testng.Assert; import org.testng.annotations.AfterClass; import org.testng.annotations.BeforeClass; import org.testng.annotations.Test; -import com.google.common.collect.Sets; @Test(groups = "flaky") public class AuthorizationTest extends MockedPulsarServiceBaseTest { @@ -229,6 +235,39 @@ public void simple() throws Exception { admin.clusters().deleteCluster("c1"); } + @Test + public void testOriginalRoleValidation() throws Exception { + ServiceConfiguration conf = new ServiceConfiguration(); + conf.setProxyRoles(Collections.singleton("proxy")); + AuthorizationService auth = new AuthorizationService(conf, Mockito.mock(PulsarResources.class)); + + // Original principal should be supplied when authenticatedPrincipal is proxy role + assertTrue(auth.isValidOriginalPrincipal("proxy", "client", (SocketAddress) null)); + + // Non proxy role should not supply originalPrincipal + assertTrue(auth.isValidOriginalPrincipal("client", "", (SocketAddress) null)); + assertTrue(auth.isValidOriginalPrincipal("client", null, (SocketAddress) null)); + + // Only likely in cases when authentication is disabled, but we still define these to be valid. + assertTrue(auth.isValidOriginalPrincipal(null, null, (SocketAddress) null)); + assertTrue(auth.isValidOriginalPrincipal(null, "", (SocketAddress) null)); + assertTrue(auth.isValidOriginalPrincipal("", null, (SocketAddress) null)); + assertTrue(auth.isValidOriginalPrincipal("", "", (SocketAddress) null)); + + // Proxy role must supply an original principal + assertFalse(auth.isValidOriginalPrincipal("proxy", "", (SocketAddress) null)); + assertFalse(auth.isValidOriginalPrincipal("proxy", null, (SocketAddress) null)); + + // OriginalPrincipal cannot be proxy role + assertFalse(auth.isValidOriginalPrincipal("proxy", "proxy", (SocketAddress) null)); + assertFalse(auth.isValidOriginalPrincipal("client", "proxy", (SocketAddress) null)); + assertFalse(auth.isValidOriginalPrincipal("", "proxy", (SocketAddress) null)); + assertFalse(auth.isValidOriginalPrincipal(null, "proxy", (SocketAddress) null)); + + // Must gracefully handle a missing AuthenticationDataSource + assertTrue(auth.isValidOriginalPrincipal("proxy", "client", (AuthenticationDataSource) null)); + } + @Test public void testGetListWithGetBundleOp() throws Exception { String tenant = "p1"; diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/ServerCnxTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/ServerCnxTest.java index 34cc3ba2232d4c..f55cc387705d44 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/ServerCnxTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/ServerCnxTest.java @@ -416,6 +416,10 @@ public void testConnectCommandWithInvalidRoleCombinations() throws Exception { verifyAuthRoleAndOriginalPrincipalBehavior(authMethodName, "pass.proxy", "pass.proxy"); verifyAuthRoleAndOriginalPrincipalBehavior(authMethodName, "pass.proxy", ""); verifyAuthRoleAndOriginalPrincipalBehavior(authMethodName, "pass.proxy", null); + // Invalid combinations where original principal is set to a pass.proxy role + verifyAuthRoleAndOriginalPrincipalBehavior(authMethodName, "pass.client", "pass.proxy"); + // Invalid combinations where the original principal is set to a non-proxy role + verifyAuthRoleAndOriginalPrincipalBehavior(authMethodName, "pass.client1", "pass.client"); } private void verifyAuthRoleAndOriginalPrincipalBehavior(String authMethodName, String authData, diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/AdminApiKeyStoreTlsAuthTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/AdminApiKeyStoreTlsAuthTest.java index 77533949b8722f..fe734e06008bd8 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/AdminApiKeyStoreTlsAuthTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/AdminApiKeyStoreTlsAuthTest.java @@ -47,7 +47,6 @@ import org.apache.pulsar.client.api.ProducerConsumerBase; import org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls; import org.apache.pulsar.common.policies.data.ClusterData; -import org.apache.pulsar.common.tls.NoopHostnameVerifier; import org.apache.pulsar.common.policies.data.TenantInfoImpl; import org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext; import org.glassfish.jersey.client.ClientConfig; @@ -74,8 +73,14 @@ public class AdminApiKeyStoreTlsAuthTest extends ProducerConsumerBase { "./src/test/resources/authentication/keystoretls/client.keystore.jks"; protected final String CLIENT_TRUSTSTORE_FILE_PATH = "./src/test/resources/authentication/keystoretls/client.truststore.jks"; + protected final String PROXY_KEYSTORE_FILE_PATH = + "./src/test/resources/authentication/keystoretls/proxy.keystore.jks"; + protected final String PROXY_AND_CLIENT_TRUSTSTORE_FILE_PATH = + "./src/test/resources/authentication/keystoretls/proxy-and-client.truststore.jks"; protected final String CLIENT_KEYSTORE_PW = "111111"; protected final String CLIENT_TRUSTSTORE_PW = "111111"; + protected final String PROXY_KEYSTORE_PW = "111111"; + protected final String PROXY_AND_CLIENT_TRUSTSTORE_PW = "111111"; protected final String CLIENT_KEYSTORE_CN = "clientuser"; protected final String KEYSTORE_TYPE = "JKS"; @@ -96,8 +101,8 @@ public void setup() throws Exception { conf.setTlsKeyStorePassword(BROKER_KEYSTORE_PW); conf.setTlsTrustStoreType(KEYSTORE_TYPE); - conf.setTlsTrustStore(CLIENT_TRUSTSTORE_FILE_PATH); - conf.setTlsTrustStorePassword(CLIENT_TRUSTSTORE_PW); + conf.setTlsTrustStore(PROXY_AND_CLIENT_TRUSTSTORE_FILE_PATH); + conf.setTlsTrustStorePassword(PROXY_AND_CLIENT_TRUSTSTORE_PW); conf.setClusterName(clusterName); conf.setTlsRequireTrustedClientCertOnConnect(true); @@ -107,6 +112,7 @@ public void setup() throws Exception { // config for authentication and authorization. conf.setSuperUserRoles(Sets.newHashSet(CLIENT_KEYSTORE_CN)); + conf.setProxyRoles(Sets.newHashSet("proxy")); conf.setAuthenticationEnabled(true); conf.setAuthorizationEnabled(true); Set providers = new HashSet<>(); @@ -147,13 +153,13 @@ WebTarget buildWebClient() throws Exception { SSLContext sslCtx = KeyStoreSSLContext.createClientSslContext( KEYSTORE_TYPE, - CLIENT_KEYSTORE_FILE_PATH, - CLIENT_KEYSTORE_PW, + PROXY_KEYSTORE_FILE_PATH, + PROXY_KEYSTORE_PW, KEYSTORE_TYPE, BROKER_TRUSTSTORE_FILE_PATH, BROKER_TRUSTSTORE_PW); - clientBuilder.sslContext(sslCtx).hostnameVerifier(NoopHostnameVerifier.INSTANCE); + clientBuilder.sslContext(sslCtx); Client client = clientBuilder.build(); return client.target(brokerUrlTls.toString()); @@ -186,11 +192,11 @@ public void testSuperUserCanListTenants() throws Exception { } @Test - public void testSuperUserCantListNamespaces() throws Exception { + public void testSuperUserCanListNamespaces() throws Exception { try (PulsarAdmin admin = buildAdminClient()) { admin.clusters().createCluster("test", ClusterData.builder().serviceUrl(brokerUrl.toString()).build()); admin.tenants().createTenant("tenant1", - new TenantInfoImpl(ImmutableSet.of("proxy"), + new TenantInfoImpl(ImmutableSet.of(""), ImmutableSet.of("test"))); admin.namespaces().createNamespace("tenant1/ns1"); Assert.assertTrue(admin.namespaces().getNamespaces("tenant1").contains("tenant1/ns1")); diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java index 2e839b93f194f9..425e08cb91faba 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/KeyStoreTlsTest.java @@ -31,23 +31,23 @@ public class KeyStoreTlsTest { protected final String BROKER_KEYSTORE_FILE_PATH = "./src/test/resources/authentication/keystoretls/broker.keystore.jks"; protected final String BROKER_TRUSTSTORE_FILE_PATH = - "./src/test/resources/authentication/keystoretls/broker.truststore.jks"; + "./src/test/resources/authentication/keystoretls/client.truststore.jks"; protected final String BROKER_KEYSTORE_PW = "111111"; protected final String BROKER_TRUSTSTORE_PW = "111111"; protected final String CLIENT_KEYSTORE_FILE_PATH = "./src/test/resources/authentication/keystoretls/client.keystore.jks"; protected final String CLIENT_TRUSTSTORE_FILE_PATH = - "./src/test/resources/authentication/keystoretls/client.truststore.jks"; + "./src/test/resources/authentication/keystoretls/broker.truststore.jks"; protected final String CLIENT_KEYSTORE_PW = "111111"; protected final String CLIENT_TRUSTSTORE_PW = "111111"; protected final String KEYSTORE_TYPE = "JKS"; protected final String BROKER_TRUSTSTORE_FILE_NPD_PATH = - "./src/test/resources/authentication/keystoretls/pulsar_server_trust_npd.jks"; + "./src/test/resources/authentication/keystoretls/client.truststore.nopassword.jks"; protected final String CLIENT_TRUSTSTORE_FILE_NPD_PATH = - "./src/test/resources/authentication/keystoretls/pulsar_client_trust_npd.jks"; + "./src/test/resources/authentication/keystoretls/broker.truststore.nopassword.jks"; public static final Provider BC_PROVIDER = getProvider(); diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/broker.keystore.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/broker.keystore.jks index 8ef2c6c60ba81623c6afd7a6b0611f0ee1147616..6f2df055f26add400c012950df1967fbc2e2581c 100644 GIT binary patch delta 1995 zcmV;+2Q>JL9nKLb{_Xzl00002000010000100v@mZ);_80004oNmTu6000F6FoFdA zlTiZ`f9X{m&X|u!c0CEb3Pv`FDm05j0yUQt1Su;4k|;4=>wgkS0;cbp>S2@gq;CQs zb1pjSRpjuMwlpM^va;0+eJRC$zH5ZI*VHc2yG!6~#r{AmJ`DxhBoONC&+JmxnFey` zd^N!yi^7IKe6RXDJjHNN`fA$A;sJ2XV6cQ)e|;uU{TK&(Gh1F)6e1dC1huKPE6U+b5mV2Ir14jT6l{x)v&=%5=gsXniHfkt0)A z1nsg$2K}Q&Y;Dg)uN+Ct(8C?A^P#Awbqi_5PD?y)x$j@|O!@g1EF-}T(C*Zu-;N)K ze{ZcCh7!)Sy%EDUOJ7_8DjIastQF%WcTUa0k+6;&bovC1D^2Cogg_i%*K-!-lQH|b zJbkoELK-uHDdC4%K}Z;78Ok-%yk+v!g}Lwg>qtKfv(XV*r1$$zDy0|U#SJf^;&{x8 zu^oloU>>Ye9VCbieuDvuN)F#GjO`_Iy=j3^q$+5#0xtFhX+V!-b@dX*gp{Ape~ar0 z0=HviJ{Wy4KoD5wIgy5%;1gHFWSASA9$D=~L0Uz)x%9@2d(ol~QLC?0&s<9}kSW-P zo4te1`MIZrHnM`6=9BTPhM^x$diy_jyMM~`!;?VIj&>HT9zY8WuSllXtH=NLMAzDVu^ZLqCku05DOx@V>4f@f8(iOt9fj`fNh+#KdDc*H<;A>_}RL`qof143ptxUE_-E>g~@c>QUTVg5;^Sj#{ z4PW%4q)$a&q+eFKK;f#}lBCKkB|1;@7*fySr^qZ5LF|!qyyzzRe;JQKUc@=1XXP3I z|FXzgGET8EqP)xmxRIVF7SY;a$B7|CsJQL?fIT#uV(PbpiAojikoe{BA=85Y?-5AW zA4o({(Cu?NuL%tozA)iUDA*KJbD#mfPu?h~y_ZVuJZ{s-zX^Af*4D}EWnNy1-e?s(gk8m>sT(`br>ZbC7AI0*~D84da)28be;HLa0x=JP3&Kw| zW2Oe;s8s9WRY;L zB!~w`MSU5=!6gDv`1A^+dukEGZ@JnApe;RRM~*1c7>Y%^d3(Cm*eOj;+WoQ~>$X`N z@yUwntbKCajpsvsD$~aT0|5X5qaiRKFdYU1RUHll76cTCI$52va;#+g^No4!RQ@2t zgGnTlQ3@1)afs{3^74c=_p7`-&b|@($u_kfla|kB21@a^^~{&K&65v`W@3fQ{lQ~? zIN1UWYXmrZ?1JVc^Ng8|(ICd_UUiwRtkL&v=hP|#nlb!ZA%)X_4li@liT7!440JV>jN|{t_gu79 zz)5`ou55@~MlrKuWMZ%loP5xPXxZaZ?KSvXZ=P3TOE!=9J~0*iyWdg7{gReh)m1)w z`!6n96~637IN-^&M$24rO8&50>ZyJef9>yoK@7Y`#~TG2bKnbU}?a+0tgrYg9QaZ8BO!2+N1#WlInTC0NFnq24Elv4d4Z_*TM~^0RX7JL^+uU`J`=$EQ_o*VhWZ>&Klhk6~0ho zupP%YV_B7S4)0T+e?Ue0SI<_BM#3D+X*k~1`4V1r-h#>Om8=L&9&) zQzO4n_*iy#PhzFMcgsOVu&C&NAHe&4fB*n&Lt$75yZW=++3{q%9RT4IQg}yaN;yp) zi!}G@S-P&x?0j`*O+{CWPRE`Ube;~@7?rEe*XXR+@h-Bo?KM$s&a1xk9=ed+w|9SP z#On#O%wB4K)Q+f%R;=cvt5I1R7Tj{&tglni#}OqapLsfE#wj=C?wNy%jVzsBu&8$_z3qRrPSnM5R>w1(Im_VjL#!3)tYqu2g=!QG zOx*XKuEciReu}DRw|OR7{wgSFBI-2a>Y!sZwdh7B9T2kNWNss z?-%8Z90!X4?{20>kOr&vm zteOkSzyqi?zo{Tt-5`t4<4o-F1J2`P7gQscEF_La1%PFZ- zV{n;jg^AnhyvHRr+P2JbQB8YGXMf3eg)295eegMr|8;RZ#oIEZK`(kUw_=rjC3 z)@4v7^$B$s>z=(7vU9_PVJvkj)4Sqqp_GJV1P^I-K&qDi4O6y)P9@gtR@Q-C-`Lmf zFH=*|#ggWM6pUriBj7#<4ckdN&N=rU7RS&|d|Wpk%8sBer;|}~4-((Jyd7YB^%TDVXU=6~VbhbJ z?nz`)+w`mtJtdTmY>hQf0xz@dtHt~#Di?~c4cX)3Hj=eUh(#@;+Fc@JTmJjCCYmt< z(xk1_5aE@vu3u1Sn^?|uXV}mcbJTRB!KJ5!aiP)zooR$y$y;(W+S---v3+6=?a?%+ z{n4e7u8EojGrtqrCuVAQ-_Lo(#23vMxr=etYk#fcI>FW93CUSaz?|r;A+Oz=K7O}o zey}mgZSt^G7{Yt)R!*IHE%)htbhj6h$>L^738*TaGn1{(_2VI4Q^o|Zz^X!4cf{9F z%xeGTOOaK&_uXTR$Xsx>BIK<~M2w6s*&enqDQi2Tq?v6+`0eEyZZ$$y`wp`rJRzFA zH9tHo^C82wCZk2rN91F?y?(u&Qmylr3no-vt>AhL=g`>+g?Q&2xz8C$JBZuFs7I4; zfUShJO5c;G+9V!z<%UXAP;mC_m-Kf6!W@}3%*&IVjFgf3-gOn>Y0Pp{!1w`{P(oM} zt$+9X-sm}X(qxmObvtAmhxTJ8W7g1nlNfB^#y*v8j~b%$=8j?;|9+t=T+?O$Ox})qUVazT`D#Om!yJq`yT!>I@limih&xz zdzA`?5y;r|T))QbG{zZjN%az%75(-}gOm0?ax#9;BWo)A$t}4bNuK<$)A@!u zv6UC;g?*hSv+A8%S+B40_PJNj$)QELC?k9-Hug5Gi-v=$H;>W1J+d}ivnQVk(gAD6 z#t{Qzc5%|GKT3CBt=7XzW5Y(1g!I)h=?Ip4W}L~L^0RT-2AebWySldC>N4!~W9JGr zA`gcb%iFz);kaVan5K=oBj6{3;>s0CayXUtgG2rn*B{7`6%;jp&gm-$HLObMZIY91 zf<&2GkQtoGro6oOOI@~Lk&m+E(BcaN`J{x5cI|lk z+cLD%j!fG6`CY(AeBr@;n5?DQKm!FnHR{l zHCNvc^R9d3D{G})w|G^Ip3YjCD6c_ncFdPR9$a(F9G~|L`IZK=Q*|*BU4EF+eF2-B znNfQ^i$}%}g+Y3)yOBBfo86Oj6k$++0tSEOeeoOp`em-q%>B8`obScw&Jl-R_1>IH zzSAmM3p2NC*D6D8=WI`)ui+jR-{m!k>yk{&79*|P_z$B0gXo{1qW>V84bkm&thU^S Tl-g3=&c!Sw=9zD=b^HGSLGvMD diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.jks index 96f12a38a72270055983ec89ba2543b3795f449f..9c35356c540212f5f3841d77cbf90995b963ca04 100644 GIT binary patch literal 969 zcmezO_TO6u1_mY|W(3n*B}JvhCB-HAMX5lcHqTI&lMJj8dZq@J3=GU|22IRO22D&^ z3z(T0nV2{kKJg#3C}w^YWWdYDsnzDu_MMlJk(-slAkR?1fRBwil!Z;0Jv1*nFTWfv z!hs>ejv>N@A;OIi5i$?}nanKAnUkNKn3IuTTwh&tTBR$i>ve$jI|Wcw};-E~IVt zjm6dOc`q0Clzisjy{y?;u>8oZ)xjkxZvPtliZBpcZtRtuQ6y(hhI-o?dr)gf)B?EgfK ze&_l<_nAJ`=+O<9?neyXttk@=)~R%`ySvs(9zLkb6!7B<*W&6d!Nd7GZ?P@VwM}*J z)3_wj<+{7Fde_w(n!bLw{%(?cy)9Du|&K0}+_AfPu)!P}uSM_@_@Trr%fZu{pO- z@aIXht#Xs6olj%)`nc`undv*vPUi1QOKLs+_h53J#Z4xjY!-{^H%-q}KljY+y{K^P zbzJGZZ6DsOomHmfxVPiw;dNq-l{?L+z@6>+3~{?t9~A@!;eZ zx6?6&UjL3u>a@t*6czg8aHi(Z7Yn6tyKaACoqka5>*)h;cZoeS<}tTo-@N!#Na>;& V#kJx!J=4krj<8hlYf4J=003G+8}o&x7*M^}z0INQHI|J_r#hCM=x>Giixt_PvTaZ}0^&I>H>i9Qmr zuH3_(H}YQQMLPy7%~=x_zqd`?>~&bpxATZnR(n+MwWRm!1VkM!-46I&{vmhWpdf zaou-4JFAWkgF=yrM@8m0l{e2fKe3+sbD%9V{eATt?_H5=R%gZRl#C2}Zj)TG?|BbjCeQaJHlJoWd@nO!aB1Ew z&Z3>0gHl+p3Td8T&-k7EWl#Ujhf(#8kBX$1Fa?F@-sU>_|BjG4vv{?BWA5b@%e*uy zxiTh|@~F-6yv};O|INJI+|qUOzUPm!|LYehep|oq;{3(pX9GAJAG$@erG7r;6}f8K PmV=Leuw73+(aQ?}0!d1= diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.nopassword.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.nopassword.jks new file mode 100644 index 0000000000000000000000000000000000000000..75c3fd8012f9625d6d5160f8905235c314b3ccdf GIT binary patch literal 969 zcmezO_TO6u1_mY|W(3n*B}JvhCB-HAMX5lcHqTI&lMJj8dZq@J3=GU|22IRO22D&^ z3z(T0nV2{kKJg#3C}w^YWWdYDsnzDu_MMlJk(-slAkR?1fRBwil!Z;0Jv1*nFTWfv z!hs>ejv>N@A;OIi5i$?}nanKAnUkNKn3IuTTwh&tTBR$i>ve$jI|Wcw};-E~IVt zjm6dOc`q0Clzisjy{y?;u>8oZ)xjkxZvPtliZBpcZtRtuQ6y(hhI-o?dr)gf)B?EgfK ze&_l<_nAJ`=+O<9?neyXttk@=)~R%`ySvs(9zLkb6!7B<*W&6d!Nd7GZ?P@VwM}*J z)3_wj<+{7Fde_w(n!bLw{%(?cy)9Du|&K0}+_AfPu)!P}uSM_@_@Trr%fZu{pO- z@aIXht#Xs6olj%)`nc`undv*vPUi1QOKLs+_h53J#Z4xjY!-{^H%-q}KljY+y{K^P zbzJGZZ6DsOomHmfxVPiw;dNq-l{?L+z@6>+3~{?t9~A@!;eZ zx6?6&UjL3u>a@t*6czg8aHi(Z7Yn6tyKaACoqka5>*)h;cZoeS<}tTo-@N$L&kZ|{ V8ei?$#K_k1u!4R1v1Y|TWdM`hbm#y8 literal 0 HcmV?d00001 diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/client.keystore.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/client.keystore.jks index 375e2e00bb410f76c744f0f57bcfeee4a65a1eae..0c9d33408e1c1aa52971b2037af7893204a79876 100644 GIT binary patch delta 2025 zcmV0w53 z9}z1l$<#Ku0ATEdb!k>s7hQi{Q5mk-i!vI-9@JGxzK9Uj{wDYcd1RJTK;z>eN*r#RD$>Yl^LuJvBCJk&df+!Nb+K;%|}v{cew$E zRBDEm|NJh0R%;IpDDgk;QKn49gSxcsRMK0EKYU)Y=w==a9jqB%^sKhH4P`E`>DKp3 zt(_akRxf?Y=l;(8h%td!l?V?MD?(2G0I1>bxQ~qH(@NN(G?*#|g;l?>Q1cNw&}t$* zud)oYo#T&6St5HyS#utf`C+2oMK3qc%Y8my2+Qw(T?*BJEpH9GyCUpp6I5E{BVW&S z^$#S31VTLgthr?-HUvj%n2?N%fip z22bsO2P-*E5=L-7vb$-T>7a+QV(YRU$72)ddd~Xx^e!@`9TsHCjEqEM6CzL;L%kp8 zZ=iw^Gsy?vzfbVfRH>kwZOMOj@njgt>M_kL+(^MmmoY0VWDV%0Zq4#e*zyDlxjh`$ zKT6|Rrk}i@9#{^_7)W`8+29i=LGa|DaGBnJ-_{5e(b}X{G0jJrTCZ@mseiZJFFLV8 z^4BgH#^#9Zp)uE=!^p@UHr3Z$=dS?c$Z=o1&~)NN1$a&eLzj`OS*rzQii}YL+-s{q z^5xjb^6#jEVYz=6T)^k=e>zLecVtkzeOwHe`01I%jRg8jMuQ<|A?nwwAoV4AVIi}JMEnn4<(f4H;+iAsO%g(No_W`aBaBsaCep-Br z5h_Fj=L}UNbDBO?wuYE!qKELrD0y3d^GE8IWRx8fyJE^0Y0&HPscG5~Y9V3r4K+C1 zrAqY)6x|aP2Y|3X)n*sHU8E>Y`JqoYFm7=wa!SLwUGq&Vi+Cj(Im#)8AOubp=wg}U z#9a43J8oT$cSxhvbtR0?g8V-;Pw7EWQk9f77mrIk+AO)utY4Od)~2!4WBXKpH;g92 zRCPIliY{J|fNB>JqMoK^YPz5`=+{)11@r4duOi0|OK>jr!hKpbT3SESdr5jUfHFlX zGZr_DR<)-;u&N>JKhTuD4dLZd*Cv|nFB3r@k98!Uq8UK9QFi;%@3K()n0*CD^j3)s z2GV-G!vF&3Qq2vEh-=8PF>RuMhlPV6#xR8kD!L&O>5-yO=sV}LIvUfW@wKYF%24Qr zWex=NGBwJ)-D9B<_GcYkSFfcVWGBYxhyaUC#PsiE&mlO^nR(wgqEx96~CtL>-Qem+;Ix*p8w8MgB& zNwzGVYA&zfE(rxUrj5dJSBK`Gn2CHD3%*5%6hWswu+5)MrVJ^zoGN_VA_nT3zHBii zS;RqqktHh7n$)pi?T&X>ad;sCfb(}=vC})OpKc&Q?S)|d+X0Q(MWkz|{z%*s&YF#u z8?P8f-J7F1zudaAc_P2nM#KPFvZ*6jT24jokBc&nI|?LW9jTH-F3Jq$6K?4kvWR4( zf6U&WL|JytxAG3pe?cGgEf^N?+^8BEsqs30jsF4z0RRD`Aut~>9R>qc9S#H*1Qdo) zB|VqD-fUq(dX^^_;_Eq~D&Q~;1_>&LNQUE3c6-j6obW$QaFk z>GLsw9ZVv*B=W^no{B$gaWT74lRcm%?0YKqybhu#pqd((XQaUx`Mwr?XCjf0aWD|x z-NWe3792mzK@p1;Mn{3}?in;Mw#jlSbz)z_Jdxl-hT4wk7|OI)#~v0@g_d<;DB88O z!M$KPc=iEy#gXUI&;}Mm6J1tOd)`G<2wV9T1xo8iN!@YSd9etL9q586lLXR%*MS^- z+>|m-4mxty)jt6008S-#h6J^SL0On^dX@~kfCwL}vJ#-GtOBS3$CQ-`e5@)z zno9p^{@oNZSp4^f!Eg|i3}y#0)`EnP!C+8bk^Budj`wYgzTzAexCZVbkttm9LB7-~ zJ$f|fr0MhcL>2eC+~W#j7hI_7jjGcv`2Onz+dIHg&Yltzbjkkbsj*`|GY0~vQUr&! zeLxz1Y?E-)hK=ju=cl%}d01{ERU6Bb;p!RKvg|gzz8&i&iKYbwE>fotE`IMRV1L3| zR$@YzQ#%jkQ%{Na>TZXLv1I)M92X*~5Zdq0bY`t(+kAOX6~kd?dp3>Hq0F`dklBrR zub~JsgEM?WyKvS5IPD?LK?->VPzlWThP1j7h0D)hcBcPZjr!B~U&%FP3re z==Oaw-@UrzUDmR5NijCZ^fb}!seu**3I>7m&jJ>JFvHivY%pFJx73+@EG$+lAn@@F zDRjr5v*m2%WkB>t_hA@6z#H-R1K58IK!d?_7#x5ys^7bv5l@EO!622G1a{hF$pOQ6 z{LNihQ^MvX>v-6vf{tcf9B`T2_KTl7?Qlh|dV4u)HngN|!d!6LwXWoaK)!GHQH`Xa ziQ$v!U8LM_RCqZRI5tYam8JlY){7^*+hyHtcm*ZXLlP$O_W~-zj6{}Soo{jI zf3WxLv1NEee3sQ*Vq^TkV#u6Hon6Tj&vUg0?QEvBT>=}XZnAl>Y(CUp$r5aL>}hhFfDbA}D-K zJkH`uZQr-JyOHF_)e9_zS?3Z#|U30Wa`}uG*;QdwlMOff?hN-SzyV3T6@r&VaBvO+i%QE#< zb&U@0^Hd>qcnB&zk=clF8!drnHv?0uQBZ?hW2>*IVJ*^eHJabjUu8#_yMDG@gAlm; z19%jPIb2OyHWBxk$~;P(Z|~~ca*;HaIWoi81}FnK1U{?nn|%gtGWe*xq26vA<~!%+X#MQ*{d@*D5u+9iuP&4gRuOTaR`sz;_UP%RCNcyTAOzJpgwMq+?M0 ze43$7^+0h*DF2&$l%l??{V)Z=k`wn!u)1aJBi3|)uH>vVidM+HPFYYt-Jg0HN4vAv zExS11pLVW9&TOG+^-e~e<;NA@>RddKwo>6n6xiq~B_6U*OsCoUmZFze_Y^*FkG|)H z0}z{y#?ud(1Yy@cesEci8L@26-!6_bOMmN@T{D_jSr?xYUAKaXp7$Cnj69CcC~OEL z&U;zS1e4mHb;tb1f)@zEjim3N*^iAvm~1f2T*5xN`k%_{MW*Rjs|@gCF}g3cXOIk>_U zCQuAvX(dn8tHAW}exeNxnXuUJLXR0!kRNN~aSTEnSAw4YBDlTFvU{2F&<*-$| zz*}OcDJM7h@&*-m`r)Qr$uB(}G%1nDGr@usv-o3Al56DeJWJdKYm&R%9LKLAFO;9F ztqk`pWt&z4|n#Uii(txqT0~heJ`e;YYb7JHkp#tGT@S!pDA!E#T7cduD~7+;_dW-zlk!CC`|%Q-hMzeq?OnF z9GAFS5z&L0H+(6W^I|)br0J|d*kteXv% z#}%n5&$MEN?b>*;Mvu@cfR(Cv&uoH!^5WWECksw3mRFlG)dx8b#R=^mYNi*^dD3$1 zH2ij;XSrhe4p=HYmy;P)RLFNq-ddH}+o{8lM?PeTgcT14NL-E?@Pup#rEa}b&FJtr zYagfMlxYdx9s+(5QJOePJpO*i?jJTAQyYCGcW<9dtS*qmP3obfA0{Durj1~M=) z()0oZZPJ)zPS#m2|<`$;vPs!!)GXEc80rN*#zz_gmB@V`O%is$pG_$qO zPd>g^eg3N)_>02)7X|qj1@%7#4RHRj3`PI$t!M1z|D(uDVhl49PZigxUKhDxGj_e8 z>4eJ#1LZMZK1n%tfl#-RDY#r>p%{|%xg98zq6A(fr2Bt4m-99H%tryWSc}B4 zokjhYl+Y)cUQ}B$7M;s z@MkjvsrJ-beZ~6Pik>iHNf13;#f&~S>%+cnH8;1T)HAWalteEqC}y5szNHVg;;D47 zMGBj^5ZALJVf_5BU5Qyo6o~7Mgqcs&P{)cv4gwWXcoy7YoouT>t<8 diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.jks index 210e423145de96274f254c6a8d48304cb63d9d03..ac59bd92541c5fdd5d11138ffa0bfd5278e9d92d 100644 GIT binary patch literal 971 zcmezO_TO6u1_mY|W(3n*B}JvhCB-HAMX5lcHqTHNeg@VEJyQcq1_tI1gC^z{gC?e& z1njW}v;d`&is&7g!&3dR zmy+8)YkF?enVY4z{(&ARtNF6tLxth(&*snQtdZp2=h`mfxZHNb+4;W9cr>@o(W<$v z#P({|z8pi<$RmyuRkbe6y0S6hZC`nKVTB@N!{_q2jhC(0%+FJBeA}Av_cmki4c8^v z%l~=Y5jr=kcbfEi3Aekm7hCSXvujhO(*CP%M;IbEtyGSP@^gLH-)+=q&83nkyK<7V z-YK4^!g((xHg%*du0L~czDs1;+3lbB&euE2f6C%u7b_ab z8^{9VQ;L#2P_HFNK_XT57<`d`{|L0fzMM1vkj z8M6}-XJ39cY>@R)+NtvCXvn-S`gL|~?wzEG{-mhj_p zVu7vGN)t71ZQXKkZ-QmTH^#D~6Q5tYz$WG_92*u`eb1F6`ll$X*K0S=yM;F@H*)mI zzG%{z%yOymdZSFuoheqWyF{BFX9hj)-ao@?{^zT*J~Q16O799U_uOk3cQnSR^3Kl> YlQw4@<;px2Gp$_wbjZ!(2V3p{0B8Pf1poj5 literal 838 zcmezO_TO6u1_mY|W(3o0$%#ez`6WPZ#ozERfefq>dZq@J3=GWd22IS&22G5w7cet1 zGBJq=GyIebTPh>A^V7XjMSh`l(~>{j2E1&XT5TR}-+37sxmg(u1P%FtLd>Bo%sgz) zjzK_k4dldmjSLM;jEoJ;3@nU{qQrTPL0m&97n_zQMkQo}8Ce;an;7{SfNtSpYGPz$ z*tJ5Zi%;On(f9dE0-K%piL8)&?z~D;e9|_@|1E;gd^UCV8K>`>Z>y(}kbJ~^zsZY3 z;a6LuB4!wTnD^I^jrl|Lndc8J@?LUOJfA3i*Cvm_vWV{)tIxh~txB=afBqEZnZ{+Z zfBghj^Xc~M<{k}qisUU&Iq*(TsN{5>bLZa;2GQ=JS}IQ*1Z@^@=k4k3%sF?0MS*A5 z1p`}|662^73tyg|^<{3@qbo-gob6wq|L!SV!yX~U^!i&T*MrdFxG7}{=LMGcL>~!Q zSMFiY8+kADq8)>k=B$Z|-`gf`_ByQQ+j&GOt39gsTGIP<0-_F=ZU_7>|B$=x(60jh z_IW;j8EG3_teKb@85kD_8w4820>fICk420{M9qJ(JxjZFX~oKyB{jc_1rG&pDKwA= zNh`BR7>G4sSHKTaAk4`4pM}+c8Au@qJ1{*UJ(I&)WM$eSgOL zxbC~2omEGNL7_;*qayR0%A4n#pIFcRx@OJMCjrtgQg*G`Dz!NOoUUbm<&(P}Q_q&n zujj5`f5gDzL6q~_i3UuEQ$5a|&`J*zlUAKt-Tf?lPU)69H@S~{V-Lk$64E}nQ1W81 z#YfhCowGvT^zHAw{=WK+_pZn_tFvNuN=Ak~w@I$p_q>NMljr*qn@_VGzL%LVxHNAT zXVK2hK`E?Pg)~pFXZ%k7vZw#%!>D@4M@7<0n1aG{Z*!gee@952S-e`mG57L{WnLPU zTp5!}dDP~3US~bt|7KopZs|IC-}6V=|Md$LzpdYQasFcQvjLoq4>K12=DOu_H_kI; P&Afz-AH%LKe`W&!0!vD_ diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.nopassword.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.nopassword.jks new file mode 100644 index 0000000000000000000000000000000000000000..363fafab6be7a54925a2aefdd108509b785a5f80 GIT binary patch literal 971 zcmezO_TO6u1_mY|W(3n*B}JvhCB-HAMX5lcHqTHNeg@VEJyQcq1_tI1gC^z{gC?e& z1njW}v;d`&is&7g!&3dR zmy+8)YkF?enVY4z{(&ARtNF6tLxth(&*snQtdZp2=h`mfxZHNb+4;W9cr>@o(W<$v z#P({|z8pi<$RmyuRkbe6y0S6hZC`nKVTB@N!{_q2jhC(0%+FJBeA}Av_cmki4c8^v z%l~=Y5jr=kcbfEi3Aekm7hCSXvujhO(*CP%M;IbEtyGSP@^gLH-)+=q&83nkyK<7V z-YK4^!g((xHg%*du0L~czDs1;+3lbB&euE2f6C%u7b_ab z8^{9VQ;L#2P_HFNK_XT57<`d`{|L0fzMM1vkj z8M6}-XJ39cY>@R)+NtvCXvn-S`gL|~?wzEG{-mhj_p zVu7vGN)t71ZQXKkZ-QmTH^#D~6Q5tYz$WG_92*u`eb1F6`ll$X*K0S=yM;F@H*)mI zzG%{z%yOymdZSFuoheqWyF{BFX9hj)-ao@?{^zT*J~Q16O799U_uOk3cQnSR^3HZ{ X729dnmzGcDGmI50%m zF+{j9M7R+m!UlpMlbMCNAkHi;PAxJ}5a%^AHZU?YHZV0cGB%2m;5RY^3K$w0Kn3XU zq$WlsH^eBWg}n%m}R)!bHMdo^ocj-hJg z5yy$DS{G(r*_iOQuROf4LXolIb9vmx%hqe==P5Y8ZB6)lo3ZzX>yqr{|2*ypotxD= zO?thA+uhlVE%)EqwW(5R|5djm43V2wDn~^5xxVY~HtMtHQc09uImub?6wg!Pyq6N2 zI#L$bpSd^RC9>@7_D_80>mB94=t_uvxU)h^a^**>-v3O@j0}v66%FJKWP$N1%f}+d zBGMM1YCC=Jy_`hHs%h%tk6v3Y)Ovs%h`_W33`9nT1>aj6`xfXcWhU*|T)gMaj;-Q* z+UwM$f{jC(buY*M2${4k@^X=((m(T>xp&*M-nB9PFKxM?t-XGtL64)1*$IiWFFzYL z$oeSlRQYr?WL}qjPNCuMfXTKCRNqux83S{A#rL;_;ES0z}9J{i5j=I zZaKI&!Ls5TW7*M(&o5nI6LS`h4GXNk=gJZNQQ zQKsh36sy)#>2b@(|3ySh9Dxta5 z0Fg`UfVs2^m`jsjxpd;9&>3p}7v#`F(jW_#CuxvN`3!gi|Q=9WQQ*f4Sx|CFR)D zB@-j3D^C7<*KYBYxFceVu2japTzf&BXZEDd=Y{)~AI)L4^UGO#Ez$6Xy=Awcu&S)V zQdI-bOouC>mvaBgW6PV{`tF}BD7q@1Hb?ZsQsdH9>L&x1qNONs-ZU#%Zd&QUu|oWF zQ_b}&OI|ogdRy6cUS4@bI3%9)LEN!Lu@jGfmh+CAohE81uDr`%Iq8g6gs4dB-)Ghu zM|d7Ab?ds#a4)L)x=!L#hy4z-p6I^FEZ@D3y-iq8G(+yX|CjY<)fHY3?(*Gq4>)zB zd$ra)CRWEc7RIyI1jJ5s-OoBp-BytE`XtS)6CV~OGADb@OFS0nocj1PtKp)VmTxWw z20Z1S@li_U4$F)9^L~~Mw~oFr=d+l-W`P;|-pxl(i7oxh|L#u>|L1L5xbu)ugk6ON3z59Vue@VB{e0#td6vgrO Zx8`3syLB6TaPH})I}R`O2y{Br4**4~?o-{(2sXLo&f9Rvb__XPY~ z(C~<`nAp84+1eS<2Z5jfmJH!x5&S~x`~U<{1B(Fw6a*ndSYz!^D;aNelr_rp%dOSF z`;6uq|G7elU#q^<^x+2}vbZ)$p7pI7QcmhxPv}%#`@S})krmXJKa02+L1^99#kKiF zz-4Gr5ig%c9CN7`i0$5Sf;f@tgfVlO>pT3t=!`U?u?x?mWS&>(UZ00_c5;v*YzK(A z1vuC5AM2?pDWCn`(th){4rHD9w21Qb!p)($c-YwYe!CSp4GeAiszcP?Tta_w%1;KdK}R9 zJGzH+w#oxPUpSvnd>5H#&$BR*z-DGYARaP652$EF0sBgAEAUS9HG#E@5i@B+M4J$k!ia9?V=C)llk7 z4ln5L<;!2L;TYz+ttv@z|9g)ecDpsI@yw8 zXs)B|?b3f)csZwyU?Ol=(0oOqES!ToO@9$-$XvQmV^x=5K=l=A*E#JTU``v2W?U^I z?<)Qp3SU~Zt9R*ZQR$-f{0M9}i$WAjy5i_`%x#Kik*BD-Cr@f888r03C6^GOc-<+Q zdRLq-<=;w~M?xF3!UB$FDGxRp|BzK2g5z6)K9$GR2ab_gHh!C|fk$ZulhyYcF5`y! zsdwM1o;c#nsS#O>)R+;Il=GoUvd;dY(zYT@nJ9ua8=1udhvD)1jkg}TmQB0z$JZo7 zDARR>O;0bFN2z{uzq><7TtzK29PLu4!$jrES29BlRm9!e)H$bo`&nw31-G0yHf9*p zL|x>n#dob$N%SRE*?hb@&0wRB$&zanXzzDk=_a)qVcMR{BzjOIQZj%dVf@V zq9>}drj#B(TRkjvCSSU)TcRN6?|c zZ$%RbXP#x8^!+8yktFXb>({@#PjJ%D=TF{{MYgRu9--|X_D*RP?;lq9j=O@ze7W zim4Q}_HgidvS8s(E{!sitGVoY)V1T(oq@Csn@}{f$Kcya=81(VmZW@L!r(bevzhln zF$Bx#4X!}Zx1DwL#;KS|88TM2fmBwg>y-S)&q&Pu0qKU-M|puGiPH8B@x#4evE?6p zD(zhv;AhKE`FloCE9|NIBUf-?<{a(A$t|Z7B-!i8^tWMHrX#Z~u;$)^MBH-#5f*`|4Ox{1F!(=#)n<@=5 z3`Edh(h6bua=(4`X5{hN6VVcmC^`T63t2f{F!|s)IXXIntR{a9a_i)1mY+)5D1OX` zA~*MX{Mzg^=ybDiL+OH?gGO(hV_s}y;_QH>)rC6F7yq=04834~J!IM6x#+5)i!}g& z_!6*WzBnuy>{G}G2Ebq#D4pt@t>o|#g%#n4sU@FE=86D-FcgFh(%QEdn|#g?esKY3 zQZOkjn)F{H_!ANMi3t5fg#SknSops>^NIf**H|=CL>q_I*1}~}h!uk*EBK-Zq(-flxx zl8Rc!ZVI^~`qyh0KE;dQtS8t5+!o^^(N#9w%=bxls%_fw!Ga1Pl;k(xTL$kOI6#1; zKXE0z0_7GcB@UM@+NBh&=NC*I6uNdDi9C9WMd|icY3%S<-m#iK7TDFsC_E`)>As5B zQhc>Mj^vD-%=BX{mZZC7DL&*)n-phywM$WlV?9~bACd69jFhEI^h5JcpeFVq)guJ0 zvEv4*V&aDtu%(Bw))!5Ood-jC2f%y)2q;#>9>6N>ZBYRMk%CAxq|J7PM|?sOpGbZ! z#YH_;?!uS;)5N`t+A|RV>4lf;#+nLNAlc;j(czM1QyE)BdU)^66D`m6Y)3F^yE(;d7;ycP2qI?v&AA2#cn4)7;NTmM=!Xt`SHU z*N_ZEjXH2@^{&R)%uOT4t?=DrsWi0$Fw|`AC@!}O@0o5vhvq69i@`=SRD<4sr4smj zZ3+ks#}obwY^WAB$6#&15x*#${Y@4#1zGm)w>P*k(Xp(LIGR^gs3*|!qN7`?lqb5e z6EDhcu$J+@R*JrLr4w8c(86$Q*>;O;ilpb#U(JNdTRT&QL i{P+#1@^3FkmCk+N@SMCpqT;2;PwtGsG|-N-8vg?A72!Sr literal 0 HcmV?d00001 diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/proxy.truststore.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/proxy.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..0e13895b1c21d47158ef56c67a8e02b54fa79b5f GIT binary patch literal 971 zcmezO_TO6u1_mY|W(3n*B}JvhCB-HAMX5lcHqTJjN(R;lJyQcq1_tI1gC^z{gC?e& z1njW}v;d`&is&7g!&3dR zmy+8)YkF?enVY4z{(&ARtNF6tLxth(&*snQtdZp2=h`mfxZHNb+4;W9cr>@o(W<$v z#P({|z8pi<$RmyuRkbe6y0S6hZC`nKVTB@N!{_q2jhC(0%+FJBeA}Av_cmki4c8^v z%l~=Y5jr=kcbfEi3Aekm7hCSXvujhO(*CP%M;IbEtyGSP@^gLH-)+=q&83nkyK<7V z-YK4^!g((xHg%*du0L~czDs1;+3lbB&euE2f6C%u7b_ab z8^{9VQ;L#2P_HFNK_XT57<`d`{|L0fzMM1vkj z8M6}-XJ39cY>@R)+NtvCXvn-S`gL|~?wzEG{-mhj_p zVu7vGN)t71ZQXKkZ-QmTH^#D~6Q5tYz$WG_92*u`eb1F6`ll$X*K0S=yM;F@H*)mI zzG%{z%yOymdZSFuoheqWyF{BFX9hj)-ao@?{^zT*J~Q16O799U_uOk3cQnSR@(!1e XzeQq9k7D@MBHn+Q{(@?=OQrw-xX@_- literal 0 HcmV?d00001 diff --git a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyAuthenticatedProducerConsumerTest.java b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyAuthenticatedProducerConsumerTest.java index 622cc7dc35f59a..b6985400c81a16 100644 --- a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyAuthenticatedProducerConsumerTest.java +++ b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyAuthenticatedProducerConsumerTest.java @@ -23,6 +23,7 @@ import com.google.common.collect.Sets; +import java.util.Collections; import java.util.HashSet; import java.util.Map; import java.util.Optional; @@ -57,9 +58,17 @@ public class ProxyAuthenticatedProducerConsumerTest extends ProducerConsumerBase { private static final Logger log = LoggerFactory.getLogger(ProxyAuthenticatedProducerConsumerTest.class); + // Root for both proxy and client certificates private final String TLS_TRUST_CERT_FILE_PATH = "./src/test/resources/authentication/tls/cacert.pem"; - private final String TLS_SERVER_CERT_FILE_PATH = "./src/test/resources/authentication/tls/server-cert.pem"; - private final String TLS_SERVER_KEY_FILE_PATH = "./src/test/resources/authentication/tls/server-key.pem"; + + // Borrow certs for broker and proxy from other test + private final String TLS_PROXY_CERT_FILE_PATH = "./src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem"; + private final String TLS_PROXY_KEY_FILE_PATH = "./src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-key.pem"; + private final String TLS_BROKER_TRUST_CERT_FILE_PATH = "./src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem"; + private final String TLS_BROKER_CERT_FILE_PATH = "./src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem"; + private final String TLS_BROKER_KEY_FILE_PATH = "./src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-key.pem"; + + // This client cert is a superUser, so use that one private final String TLS_CLIENT_CERT_FILE_PATH = "./src/test/resources/authentication/tls/client-cert.pem"; private final String TLS_CLIENT_KEY_FILE_PATH = "./src/test/resources/authentication/tls/client-key.pem"; @@ -78,20 +87,23 @@ protected void setup() throws Exception { conf.setBrokerServicePortTls(Optional.of(0)); conf.setWebServicePortTls(Optional.of(0)); conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH); - conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH); - conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH); - conf.setTlsAllowInsecureConnection(true); + conf.setTlsCertificateFilePath(TLS_BROKER_CERT_FILE_PATH); + conf.setTlsKeyFilePath(TLS_BROKER_KEY_FILE_PATH); + conf.setTlsAllowInsecureConnection(false); conf.setNumExecutorThreadPoolSize(5); Set superUserRoles = new HashSet<>(); superUserRoles.add("localhost"); superUserRoles.add("superUser"); + superUserRoles.add("Proxy"); conf.setSuperUserRoles(superUserRoles); + conf.setProxyRoles(Collections.singleton("Proxy")); conf.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName()); conf.setBrokerClientAuthenticationParameters( - "tlsCertFile:" + TLS_CLIENT_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_SERVER_KEY_FILE_PATH); - conf.setBrokerClientTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH); + "tlsCertFile:" + TLS_CLIENT_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_CLIENT_KEY_FILE_PATH); + conf.setBrokerClientTrustCertsFilePath(TLS_BROKER_TRUST_CERT_FILE_PATH); + conf.setBrokerClientTlsEnabled(true); Set providers = new HashSet<>(); providers.add(AuthenticationProviderTls.class.getName()); conf.setAuthenticationProviders(providers); @@ -102,7 +114,6 @@ protected void setup() throws Exception { // start proxy service proxyConfig.setAuthenticationEnabled(true); - proxyConfig.setAuthenticationEnabled(true); proxyConfig.setServicePort(Optional.of(0)); proxyConfig.setBrokerProxyAllowedTargetPorts("*"); @@ -110,16 +121,18 @@ protected void setup() throws Exception { proxyConfig.setWebServicePort(Optional.of(0)); proxyConfig.setWebServicePortTls(Optional.of(0)); proxyConfig.setTlsEnabledWithBroker(true); + // Setting advertised address to localhost to avoid hostname verification failure + proxyConfig.setAdvertisedAddress("localhost"); // enable tls and auth&auth at proxy - proxyConfig.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH); - proxyConfig.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH); + proxyConfig.setTlsCertificateFilePath(TLS_PROXY_CERT_FILE_PATH); + proxyConfig.setTlsKeyFilePath(TLS_PROXY_KEY_FILE_PATH); proxyConfig.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH); proxyConfig.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName()); proxyConfig.setBrokerClientAuthenticationParameters( - "tlsCertFile:" + TLS_CLIENT_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_CLIENT_KEY_FILE_PATH); - proxyConfig.setBrokerClientTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH); + "tlsCertFile:" + TLS_PROXY_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_PROXY_KEY_FILE_PATH); + proxyConfig.setBrokerClientTrustCertsFilePath(TLS_BROKER_TRUST_CERT_FILE_PATH); proxyConfig.setAuthenticationProviders(providers); proxyConfig.setMetadataStoreUrl(DUMMY_VALUE); @@ -207,10 +220,11 @@ public void testTlsSyncProducerAndConsumer() throws Exception { } protected final PulsarClient createPulsarClient(Authentication auth, String lookupUrl) throws Exception { - admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString()).tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH) - .allowTlsInsecureConnection(true).authentication(auth).build()); + admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString()) + .tlsTrustCertsFilePath(TLS_BROKER_TRUST_CERT_FILE_PATH) + .enableTlsHostnameVerification(true).authentication(auth).build()); return PulsarClient.builder().serviceUrl(lookupUrl).statsInterval(0, TimeUnit.SECONDS) - .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true).authentication(auth) + .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).enableTlsHostnameVerification(true).authentication(auth) .enableTls(true).build(); } diff --git a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationNegTest.java b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationNegTest.java index 0fad961ba2110d..23138929c84b50 100644 --- a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationNegTest.java +++ b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationNegTest.java @@ -22,6 +22,7 @@ import com.google.common.collect.Sets; +import java.util.Collections; import java.util.HashSet; import java.util.Map; import java.util.Optional; @@ -91,6 +92,7 @@ protected void setup() throws Exception { Set superUserRoles = new HashSet<>(); superUserRoles.add("superUser"); conf.setSuperUserRoles(superUserRoles); + conf.setProxyRoles(Collections.singleton("Proxy")); conf.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName()); conf.setBrokerClientAuthenticationParameters( diff --git a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithJwtAuthorizationTest.java b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithJwtAuthorizationTest.java index 07b71530b53a6c..0775722d504e05 100644 --- a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithJwtAuthorizationTest.java +++ b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithJwtAuthorizationTest.java @@ -22,11 +22,15 @@ import com.google.common.collect.Sets; -import java.util.*; -import java.util.concurrent.TimeUnit; - import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; +import java.util.Base64; +import java.util.Collections; +import java.util.HashSet; +import java.util.Optional; +import java.util.Set; +import java.util.concurrent.TimeUnit; +import javax.crypto.SecretKey; import org.apache.pulsar.broker.authentication.AuthenticationProviderToken; import org.apache.pulsar.broker.authentication.AuthenticationService; import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils; @@ -49,7 +53,7 @@ import javax.crypto.SecretKey; public class ProxyWithJwtAuthorizationTest extends ProducerConsumerBase { - private static final Logger log = LoggerFactory.getLogger(ProxyWithAuthorizationTest.class); + private static final Logger log = LoggerFactory.getLogger(ProxyWithJwtAuthorizationTest.class); private final String ADMIN_ROLE = "admin"; private final String PROXY_ROLE = "proxy"; @@ -78,6 +82,7 @@ protected void setup() throws Exception { superUserRoles.add(PROXY_ROLE); superUserRoles.add(BROKER_ROLE); conf.setSuperUserRoles(superUserRoles); + conf.setProxyRoles(Collections.singleton(PROXY_ROLE)); conf.setBrokerClientAuthenticationPlugin(AuthenticationToken.class.getName()); conf.setBrokerClientAuthenticationParameters(BROKER_TOKEN);