Examples with SystemAuthenticationHandler io.confluent.ksql.api.auth.SystemAuthenticationHandler used on opensource projects

Example 1 with SystemAuthenticationHandler

use of io.confluent.ksql.api.auth.SystemAuthenticationHandler in project ksql by confluentinc.

the class AuthHandlers method setupAuthHandlers.

static void setupAuthHandlers(final Server server, final Router router, final boolean isInternalListener) {
    final Optional<AuthHandler> jaasAuthHandler = getJaasAuthHandler(server);
    final KsqlSecurityExtension securityExtension = server.getSecurityExtension();
    final Optional<AuthenticationPlugin> authenticationPlugin = server.getAuthenticationPlugin();
    final Optional<Handler<RoutingContext>> pluginHandler = authenticationPlugin.map(plugin -> new AuthenticationPluginHandler(server, plugin));
    final Optional<SystemAuthenticationHandler> systemAuthenticationHandler = getSystemAuthenticationHandler(server, isInternalListener);
    systemAuthenticationHandler.ifPresent(handler -> router.route().handler(handler));
    if (jaasAuthHandler.isPresent() || authenticationPlugin.isPresent()) {
        router.route().handler(AuthHandlers::pauseHandler);
        router.route().handler(rc -> wrappedAuthHandler(rc, jaasAuthHandler, pluginHandler));
        // For authorization use auth provider configured via security extension (if any)
        securityExtension.getAuthorizationProvider().ifPresent(ksqlAuthorizationProvider -> router.route().handler(new KsqlAuthorizationProviderHandler(server.getWorkerExecutor(), ksqlAuthorizationProvider)));
        router.route().handler(AuthHandlers::resumeHandler);
    }
}

Example 2 with SystemAuthenticationHandler

use of io.confluent.ksql.api.auth.SystemAuthenticationHandler in project ksql by confluentinc.

the class AuthHandlers method getSystemAuthenticationHandler.

/**
 * Gets the SystemAuthenticationHandler, if the requirements are met for it to be installed.
 * The requirements for installation are that SSL mutual auth is in effect for the connection
 * (meaning that the request is verified to be coming from a known set of servers in the cluster),
 * and that it came on the internal listener interface, meaning that it's being done with the
 * authorization of the system rather than directly on behalf of the user. Mutual auth is only
 * enforced when SSL is used.
 * @param server The server to potentially install the handler
 * @param isInternalListener If this handler is being considered for the internal listener
 * @return The SystemAuthenticationHandler if the requirements are met
 */
private static Optional<SystemAuthenticationHandler> getSystemAuthenticationHandler(final Server server, final boolean isInternalListener) {
    final String internalListener = server.getConfig().getString(KsqlRestConfig.INTERNAL_LISTENER_CONFIG);
    if (internalListener == null) {
        return Optional.empty();
    }
    final String scheme = URI.create(internalListener).getScheme();
    if (server.getConfig().getClientAuthInternal() == ClientAuth.REQUIRED && "https".equalsIgnoreCase(scheme) && isInternalListener) {
        return Optional.of(new SystemAuthenticationHandler());
    }
    // Fall back on other authentication methods.
    return Optional.empty();
}