Search in sources :

Example 31 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi by strimzi.

the class KafkaBrokerConfigurationBuilder method configureOAuthPrincipalBuilderIfNeeded.

private void configureOAuthPrincipalBuilderIfNeeded(PrintWriter writer, List<GenericKafkaListener> kafkaListeners) {
    for (GenericKafkaListener listener : kafkaListeners) {
        if (listener.getAuth() instanceof KafkaListenerAuthenticationOAuth) {
            writer.println(String.format("principal.builder.class=%s", KafkaListenerAuthenticationOAuth.PRINCIPAL_BUILDER_CLASS_NAME));
            writer.println();
            return;
        }
    }
}
Also used : GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth)

Example 32 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi by strimzi.

the class KafkaBrokerConfigurationBuilder method configureAuthentication.

/**
 * Configures authentication for a Kafka listener. This method is used only internally.
 *
 * @param listenerName  Name of the listener as used in the Kafka broker configuration file.
 * @param securityProtocol  List of security protocols enabled int he broker. The method will add the security
 *                          protocol configuration for this listener to this list (e.g. SASL_PLAINTEXT).
 * @param tls   Flag whether this protocol is using TLS or not
 * @param auth  The authentication confgiuration from the Kafka CR
 */
private void configureAuthentication(String listenerName, List<String> securityProtocol, boolean tls, KafkaListenerAuthentication auth) {
    String listenerNameInProperty = listenerName.toLowerCase(Locale.ENGLISH);
    String listenerNameInEnvVar = listenerName.replace("-", "_");
    if (auth instanceof KafkaListenerAuthenticationOAuth) {
        securityProtocol.add(String.format("%s:%s", listenerName, getSecurityProtocol(tls, true)));
        KafkaListenerAuthenticationOAuth oauth = (KafkaListenerAuthenticationOAuth) auth;
        List<String> options = new ArrayList<>();
        options.addAll(getOAuthOptions(oauth));
        if (oauth.getClientSecret() != null) {
            options.add(String.format("oauth.client.secret=\"" + PLACEHOLDER_OAUTH_CLIENT_SECRET + "\"", listenerNameInEnvVar));
        }
        if (oauth.getTlsTrustedCertificates() != null && oauth.getTlsTrustedCertificates().size() > 0) {
            options.add(String.format("oauth.ssl.truststore.location=\"/tmp/kafka/oauth-%s.truststore.p12\"", listenerNameInProperty));
            options.add("oauth.ssl.truststore.password=\"" + PLACEHOLDER_CERT_STORE_PASSWORD + "\"");
            options.add("oauth.ssl.truststore.type=\"PKCS12\"");
        }
        StringBuilder enabledMechanisms = new StringBuilder();
        if (oauth.isEnableOauthBearer()) {
            writer.println(String.format("listener.name.%s.oauthbearer.sasl.server.callback.handler.class=io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler", listenerNameInProperty));
            writer.println(String.format("listener.name.%s.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required unsecuredLoginStringClaim_sub=\"thePrincipalName\" %s;", listenerNameInProperty, String.join(" ", options)));
            enabledMechanisms.append("OAUTHBEARER");
        }
        if (oauth.isEnablePlain()) {
            addOption(options, ServerPlainConfig.OAUTH_TOKEN_ENDPOINT_URI, oauth.getTokenEndpointUri());
            writer.println(String.format("listener.name.%s.plain.sasl.server.callback.handler.class=io.strimzi.kafka.oauth.server.plain.JaasServerOauthOverPlainValidatorCallbackHandler", listenerNameInProperty));
            writer.println(String.format("listener.name.%s.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required %s;", listenerNameInProperty, String.join(" ", options)));
            if (enabledMechanisms.length() > 0) {
                enabledMechanisms.append(",");
            }
            enabledMechanisms.append("PLAIN");
        }
        writer.println(String.format("listener.name.%s.sasl.enabled.mechanisms=%s", listenerNameInProperty, enabledMechanisms));
        if (oauth.getMaxSecondsWithoutReauthentication() != null) {
            writer.println(String.format("listener.name.%s.connections.max.reauth.ms=%s", listenerNameInProperty, 1000 * oauth.getMaxSecondsWithoutReauthentication()));
        }
        writer.println();
    } else if (auth instanceof KafkaListenerAuthenticationScramSha512) {
        securityProtocol.add(String.format("%s:%s", listenerName, getSecurityProtocol(tls, true)));
        writer.println(String.format("listener.name.%s.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required;", listenerNameInProperty));
        writer.println(String.format("listener.name.%s.sasl.enabled.mechanisms=SCRAM-SHA-512", listenerNameInProperty));
        writer.println();
    } else if (auth instanceof KafkaListenerAuthenticationTls) {
        securityProtocol.add(String.format("%s:%s", listenerName, getSecurityProtocol(tls, false)));
        writer.println(String.format("listener.name.%s.ssl.client.auth=required", listenerNameInProperty));
        writer.println(String.format("listener.name.%s.ssl.truststore.location=/tmp/kafka/clients.truststore.p12", listenerNameInProperty));
        writer.println(String.format("listener.name.%s.ssl.truststore.password=%s", listenerNameInProperty, PLACEHOLDER_CERT_STORE_PASSWORD));
        writer.println(String.format("listener.name.%s.ssl.truststore.type=PKCS12", listenerNameInProperty));
        writer.println();
    } else if (auth instanceof KafkaListenerAuthenticationCustom) {
        KafkaListenerAuthenticationCustom customAuth = (KafkaListenerAuthenticationCustom) auth;
        securityProtocol.add(String.format("%s:%s", listenerName, getSecurityProtocol(tls, customAuth.isSasl())));
        KafkaListenerCustomAuthConfiguration config = new KafkaListenerCustomAuthConfiguration(reconciliation, customAuth.getListenerConfig().entrySet());
        config.asOrderedProperties().asMap().forEach((key, value) -> writer.println(String.format("listener.name.%s.%s=%s", listenerNameInProperty, key, value)));
    } else {
        securityProtocol.add(String.format("%s:%s", listenerName, getSecurityProtocol(tls, false)));
    }
}
Also used : KafkaListenerAuthenticationScramSha512(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationScramSha512) VolumeMount(io.fabric8.kubernetes.api.model.VolumeMount) GenericKafkaListener(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener) Rack(io.strimzi.api.kafka.model.Rack) KafkaListenerAuthentication(io.strimzi.api.kafka.model.listener.KafkaListenerAuthentication) Function(java.util.function.Function) Supplier(java.util.function.Supplier) ArrayList(java.util.ArrayList) KafkaAuthorizationCustom(io.strimzi.api.kafka.model.KafkaAuthorizationCustom) KafkaListenerAuthenticationTls(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationTls) KafkaAuthorization(io.strimzi.api.kafka.model.KafkaAuthorization) KafkaResources(io.strimzi.api.kafka.model.KafkaResources) GenericKafkaListenerConfiguration(io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListenerConfiguration) Locale(java.util.Locale) Duration(java.time.Duration) KafkaAuthorizationOpa(io.strimzi.api.kafka.model.KafkaAuthorizationOpa) KafkaListenerAuthenticationScramSha512(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationScramSha512) PrintWriter(java.io.PrintWriter) CertAndKeySecretSource(io.strimzi.api.kafka.model.CertAndKeySecretSource) CruiseControlConfigurationParameters(io.strimzi.operator.cluster.operator.resource.cruisecontrol.CruiseControlConfigurationParameters) KafkaAuthorizationKeycloak(io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak) KafkaListenerAuthenticationCustom(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustom) StringWriter(java.io.StringWriter) ServerPlainConfig(io.strimzi.kafka.oauth.server.plain.ServerPlainConfig) ServerConfig(io.strimzi.kafka.oauth.server.ServerConfig) Collectors(java.util.stream.Collectors) KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaAuthorizationSimple(io.strimzi.api.kafka.model.KafkaAuthorizationSimple) Reconciliation(io.strimzi.operator.common.Reconciliation) List(java.util.List) Optional(java.util.Optional) CruiseControlSpec(io.strimzi.api.kafka.model.CruiseControlSpec) KafkaListenerAuthenticationTls(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationTls) ArrayList(java.util.ArrayList) KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaListenerAuthenticationCustom(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustom)

Example 33 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi by strimzi.

the class KafkaBrokerConfigurationBuilderTest method testOAuthOptions.

@ParallelTest
public void testOAuthOptions() {
    KafkaListenerAuthenticationOAuth auth = new KafkaListenerAuthenticationOAuthBuilder().withValidIssuerUri("http://valid-issuer").withCheckIssuer(false).withCheckAudience(true).withJwksEndpointUri("http://jwks-endpoint").withIntrospectionEndpointUri("http://introspection-endpoint").withUserInfoEndpointUri("http://userinfo-endpoint").withJwksExpirySeconds(160).withJwksRefreshSeconds(50).withJwksMinRefreshPauseSeconds(5).withEnableECDSA(true).withUserNameClaim("preferred_username").withFallbackUserNameClaim("client_id").withFallbackUserNamePrefix("client-account-").withCheckAccessTokenType(false).withClientId("my-kafka-id").withAccessTokenIsJwt(false).withValidTokenType("access_token").withDisableTlsHostnameVerification(true).withMaxSecondsWithoutReauthentication(3600).withEnablePlain(true).withTokenEndpointUri("http://token").withCustomClaimCheck("@.aud && @.aud == 'something'").withConnectTimeoutSeconds(30).withReadTimeoutSeconds(60).withClientAudience("kafka").withClientScope("messaging").build();
    List<String> expectedOptions = new ArrayList<>(5);
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_CLIENT_ID, "my-kafka-id"));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_VALID_ISSUER_URI, "http://valid-issuer"));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_CHECK_ISSUER, false));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_CHECK_AUDIENCE, true));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_CUSTOM_CLAIM_CHECK, "@.aud && @.aud == 'something'"));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_SCOPE, "messaging"));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_AUDIENCE, "kafka"));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_JWKS_ENDPOINT_URI, "http://jwks-endpoint"));
    expectedOptions.add(String.format("%s=\"%d\"", ServerConfig.OAUTH_JWKS_REFRESH_SECONDS, 50));
    expectedOptions.add(String.format("%s=\"%d\"", ServerConfig.OAUTH_JWKS_EXPIRY_SECONDS, 160));
    expectedOptions.add(String.format("%s=\"%d\"", ServerConfig.OAUTH_JWKS_REFRESH_MIN_PAUSE_SECONDS, 5));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_INTROSPECTION_ENDPOINT_URI, "http://introspection-endpoint"));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_USERINFO_ENDPOINT_URI, "http://userinfo-endpoint"));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_USERNAME_CLAIM, "preferred_username"));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_FALLBACK_USERNAME_CLAIM, "client_id"));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_FALLBACK_USERNAME_PREFIX, "client-account-"));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_ACCESS_TOKEN_IS_JWT, false));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_CHECK_ACCESS_TOKEN_TYPE, false));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_VALID_TOKEN_TYPE, "access_token"));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM, ""));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_CONNECT_TIMEOUT_SECONDS, 30));
    expectedOptions.add(String.format("%s=\"%s\"", ServerConfig.OAUTH_READ_TIMEOUT_SECONDS, 60));
    // enablePlain and tokenEndpointUri are handled separately from getOAuthOptions
    List<String> actualOptions = KafkaBrokerConfigurationBuilder.getOAuthOptions(auth);
    assertThat(actualOptions, is(equalTo(expectedOptions)));
}
Also used : ArrayList(java.util.ArrayList) KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString) KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 34 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi by strimzi.

the class KafkaClusterOAuthValidationTest method testOAuthValidationWithConnectTimeout.

@ParallelTest
public void testOAuthValidationWithConnectTimeout() {
    assertThrows(InvalidResourceException.class, () -> {
        KafkaListenerAuthenticationOAuth auth = new KafkaListenerAuthenticationOAuthBuilder().withValidIssuerUri("http://valid-issuer").withJwksEndpointUri("http://jwks-endpoint").withConnectTimeoutSeconds(0).build();
        ListenersValidator.validate(Reconciliation.DUMMY_RECONCILIATION, 3, getListeners(auth));
    });
}
Also used : KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Example 35 with KafkaListenerAuthenticationOAuth

use of io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth in project strimzi by strimzi.

the class KafkaClusterOAuthValidationTest method testOAuthValidationExpirySecondsWithoutEndpointUri.

@ParallelTest
public void testOAuthValidationExpirySecondsWithoutEndpointUri() {
    assertThrows(InvalidResourceException.class, () -> {
        KafkaListenerAuthenticationOAuth auth = new KafkaListenerAuthenticationOAuthBuilder().withIntrospectionEndpointUri("http://introspection").withClientId("my-client-id").withJwksExpirySeconds(100).build();
        ListenersValidator.validate(Reconciliation.DUMMY_RECONCILIATION, 3, getListeners(auth));
    });
}
Also used : KafkaListenerAuthenticationOAuth(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth) KafkaListenerAuthenticationOAuthBuilder(io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder) ParallelTest(io.strimzi.test.annotations.ParallelTest)

Aggregations

KafkaListenerAuthenticationOAuth (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuth)60 KafkaListenerAuthenticationOAuthBuilder (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationOAuthBuilder)44 ParallelTest (io.strimzi.test.annotations.ParallelTest)44 GenericKafkaListener (io.strimzi.api.kafka.model.listener.arraylistener.GenericKafkaListener)14 ArrayList (java.util.ArrayList)12 KafkaAuthorizationKeycloak (io.strimzi.api.kafka.model.KafkaAuthorizationKeycloak)8 KafkaListenerAuthenticationCustom (io.strimzi.api.kafka.model.listener.KafkaListenerAuthenticationCustom)8 CertAndKeySecretSource (io.strimzi.api.kafka.model.CertAndKeySecretSource)6 Volume (io.fabric8.kubernetes.api.model.Volume)4 VolumeMount (io.fabric8.kubernetes.api.model.VolumeMount)4 KafkaResources (io.strimzi.api.kafka.model.KafkaResources)4 HashMap (java.util.HashMap)4 List (java.util.List)4 Collectors (java.util.stream.Collectors)4 CoreMatchers.containsString (org.hamcrest.CoreMatchers.containsString)3 EnvVar (io.fabric8.kubernetes.api.model.EnvVar)2 LabelSelector (io.fabric8.kubernetes.api.model.LabelSelector)2 ContainerEnvVar (io.strimzi.api.kafka.model.ContainerEnvVar)2 CruiseControlSpec (io.strimzi.api.kafka.model.CruiseControlSpec)2 KafkaAuthorization (io.strimzi.api.kafka.model.KafkaAuthorization)2