Skip to content
代码片段 群组 项目
未验证 提交 71338727 编辑于 作者: Arvind Thirunarayanan's avatar Arvind Thirunarayanan 提交者: GitHub
浏览文件

AUTHN-1074: Support hierarchy for provider/pool (#6967)

上级 0ddff137
No related branches found
No related tags found
无相关合并请求
......@@ -28,13 +28,17 @@ public class ConfluentCloudCrnAuthority extends ConfluentServerCrnAuthority {
case ORGANIZATION_TYPE:
case ENVIRONMENT_TYPE:
case CLOUD_CLUSTER_TYPE:
case IDENTITY_PROVIDER_TYPE:
// Because path elements are strings, we include the type in the string
// to facilitate roles that define path-based scope levels
return element.resourceType() + PATH_TYPE_SEPARATOR + element.encodedResourceName();
default:
throw new CrnSyntaxException(element.toString(),
String.format("Path element must be %s, %s or %s",
ORGANIZATION_TYPE, ENVIRONMENT_TYPE, CLOUD_CLUSTER_TYPE));
String.format("Path element must be %s, %s, %s or %s",
ORGANIZATION_TYPE,
ENVIRONMENT_TYPE,
CLOUD_CLUSTER_TYPE,
IDENTITY_PROVIDER_TYPE));
}
}
......@@ -56,10 +60,16 @@ public class ConfluentCloudCrnAuthority extends ConfluentServerCrnAuthority {
case CLOUD_CLUSTER_TYPE:
builder.addElement(CLOUD_CLUSTER_TYPE, parts[1]);
break;
case IDENTITY_PROVIDER_TYPE:
builder.addElement(IDENTITY_PROVIDER_TYPE, parts[1]);
break;
default:
throw new CrnSyntaxException(pathElement,
String.format("Path element must be %s, %s or %s",
ORGANIZATION_TYPE, ENVIRONMENT_TYPE, CLOUD_CLUSTER_TYPE));
String.format("Path element must be %s, %s, %s or %s",
ORGANIZATION_TYPE,
ENVIRONMENT_TYPE,
CLOUD_CLUSTER_TYPE,
IDENTITY_PROVIDER_TYPE));
}
}
}
......
......@@ -40,12 +40,14 @@ public class ConfluentServerCrnAuthority implements CrnAuthority, Configurable {
public static final String KSQL_CLUSTER_TYPE = "ksql";
public static final String CONNECT_CLUSTER_TYPE = "connect";
public static final String SCHEMA_REGISTRY_CLUSTER_TYPE = "schema-registry";
public static final String IDENTITY_PROVIDER_TYPE = "identity-provider";
// These are the strings that appear as keys in the Scope clusters map
public static final String KAFKA_CLUSTER_KEY = "kafka-cluster";
public static final String KSQL_CLUSTER_KEY = "ksql-cluster";
public static final String CONNECT_CLUSTER_KEY = "connect-cluster";
public static final String SCHEMA_REGISTRY_CLUSTER_KEY = "schema-registry-cluster";
public static final String IDENTITY_PROVIDER_KEY = "identity-provider";
// These are the strings that appear as ResourceTypes in RBAC
public static final String ORGANIZATION_RESOURCE_TYPE = "Organization";
......@@ -56,12 +58,14 @@ public class ConfluentServerCrnAuthority implements CrnAuthority, Configurable {
// These are extrapolated from the strings that appear as ResourceTypes in RBAC
public static final String CONNECT_CLUSTER_RESOURCE_TYPE = "ConnectCluster";
public static final String SCHEMA_REGISTRY_RESOURCE_TYPE = "SchemaRegistry";
public static final String IDENTITY_PROVIDER_RESOURCE_TYPE = "IdentityProvider";
public static final Set<String> SCOPE_RESOURCE_TYPES =
Utils.mkSet(
ORGANIZATION_RESOURCE_TYPE, ENVIRONMENT_RESOURCE_TYPE, CLOUD_CLUSTER_RESOURCE_TYPE,
KAFKA_CLUSTER_RESOURCE_TYPE, KSQL_CLUSTER_RESOURCE_TYPE,
CONNECT_CLUSTER_RESOURCE_TYPE, SCHEMA_REGISTRY_RESOURCE_TYPE);
CONNECT_CLUSTER_RESOURCE_TYPE, SCHEMA_REGISTRY_RESOURCE_TYPE,
IDENTITY_PROVIDER_RESOURCE_TYPE);
public static final Map<String, String> SCOPE_KEY_BY_TYPE =
Utils.mkMap(
......@@ -71,7 +75,8 @@ public class ConfluentServerCrnAuthority implements CrnAuthority, Configurable {
Utils.mkEntry(KAFKA_CLUSTER_TYPE, KAFKA_CLUSTER_KEY),
Utils.mkEntry(KSQL_CLUSTER_TYPE, KSQL_CLUSTER_KEY),
Utils.mkEntry(CONNECT_CLUSTER_TYPE, CONNECT_CLUSTER_KEY),
Utils.mkEntry(SCHEMA_REGISTRY_CLUSTER_TYPE, SCHEMA_REGISTRY_CLUSTER_KEY));
Utils.mkEntry(SCHEMA_REGISTRY_CLUSTER_TYPE, SCHEMA_REGISTRY_CLUSTER_KEY),
Utils.mkEntry(IDENTITY_PROVIDER_TYPE, IDENTITY_PROVIDER_KEY));
public static final Map<String, String> CLUSTER_TYPE_BY_KEY =
SCOPE_KEY_BY_TYPE.entrySet().stream()
......@@ -85,7 +90,8 @@ public class ConfluentServerCrnAuthority implements CrnAuthority, Configurable {
Utils.mkEntry(KAFKA_CLUSTER_TYPE, KAFKA_CLUSTER_RESOURCE_TYPE),
Utils.mkEntry(KSQL_CLUSTER_TYPE, KSQL_CLUSTER_RESOURCE_TYPE),
Utils.mkEntry(CONNECT_CLUSTER_TYPE, CONNECT_CLUSTER_RESOURCE_TYPE),
Utils.mkEntry(SCHEMA_REGISTRY_CLUSTER_TYPE, SCHEMA_REGISTRY_RESOURCE_TYPE));
Utils.mkEntry(SCHEMA_REGISTRY_CLUSTER_TYPE, SCHEMA_REGISTRY_RESOURCE_TYPE),
Utils.mkEntry(IDENTITY_PROVIDER_TYPE, IDENTITY_PROVIDER_RESOURCE_TYPE));
private String authorityName;
private int cacheCapacity;
......@@ -172,6 +178,7 @@ public class ConfluentServerCrnAuthority implements CrnAuthority, Configurable {
case ORGANIZATION_TYPE:
case ENVIRONMENT_TYPE:
case CLOUD_CLUSTER_TYPE:
case IDENTITY_PROVIDER_TYPE:
scopeBuilder.addPath(resolvePathElement(e));
lastElementIsScope = true;
break;
......
......@@ -24,7 +24,8 @@ DescribeAccess is debatable, leaving it for now.
"ksql-cluster": {}
},
"schema-registry-cluster": {}
}
},
"identity-provider": {}
}
}
},
......
......@@ -253,7 +253,8 @@ attached trust policy to validate tokens issued by an external identity provider
"ksql-cluster": {}
},
"schema-registry-cluster": {}
}
},
"identity-provider": {}
}
}
},
......
......@@ -17,7 +17,8 @@
"ksql-cluster": {}
},
"schema-registry-cluster": {}
}
},
"identity-provider": {}
}
}
},
......
......@@ -17,7 +17,8 @@
"ksql-cluster": {}
},
"schema-registry-cluster": {}
}
},
"identity-provider": {}
}
}
},
......
......@@ -204,7 +204,7 @@ public class RbacRolesTest {
public void testControlPlaneCloudRoles() {
RbacRoles rbacRoles = RbacRoles.loadDefaultPolicy(true);
assertEquals(7, rbacRoles.bindingScopes().size());
assertEquals(8, rbacRoles.bindingScopes().size());
assertEquals(37, rbacRoles.roles().size());
//Check CCloudRoleBindingAdmin Role
......@@ -628,7 +628,7 @@ public class RbacRolesTest {
public void testDataPlanePlaneCloudRoles() {
RbacRoles rbacRoles = RbacRoles.loadDataPlanePolicy();
assertEquals(7, rbacRoles.bindingScopes().size());
assertEquals(8, rbacRoles.bindingScopes().size());
assertEquals(14, rbacRoles.roles().size());
//Check CCloudHealthChecker Role
......@@ -791,7 +791,7 @@ public class RbacRolesTest {
public void testSDSCloudRoles() {
RbacRoles rbacRoles = RbacRoles.loadSDSPolicy();
assertEquals(7, rbacRoles.bindingScopes().size());
assertEquals(8, rbacRoles.bindingScopes().size());
assertEquals(15, rbacRoles.roles().size());
// Check OrganizationAdmin Role
......@@ -964,7 +964,7 @@ public class RbacRolesTest {
public void testSDSSchemaRegistryCloudRoles() {
RbacRoles rbacRoles = RbacRoles.loadSDSSchemaRegistryPolicy();
assertEquals(7, rbacRoles.bindingScopes().size());
assertEquals(8, rbacRoles.bindingScopes().size());
assertEquals(13, rbacRoles.roles().size());
// Check OrganizationAdmin Role
......@@ -1115,7 +1115,7 @@ public class RbacRolesTest {
public void testSDSKsqlCloudRoles() {
RbacRoles rbacRoles = RbacRoles.loadSDSKsqlPolicy();
assertEquals(7, rbacRoles.bindingScopes().size());
assertEquals(8, rbacRoles.bindingScopes().size());
assertEquals(11, rbacRoles.roles().size());
// Check OrganizationAdmin Role
......
0% 加载中 .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册