Examples with Password org.apache.kafka.common.config.types.Password used on opensource projects

Example 1 with Password

use of org.apache.kafka.common.config.types.Password in project kafka by apache.

the class LoginManager method acquireLoginManager.

/**
     * Returns an instance of `LoginManager` and increases its reference count.
     *
     * `release()` should be invoked when the `LoginManager` is no longer needed. This method will try to reuse an
     * existing `LoginManager` for the provided context type and `SaslConfigs.SASL_JAAS_CONFIG` in `configs`,
     * if available.
     *
     * This is a bit ugly and it would be nicer if we could pass the `LoginManager` to `ChannelBuilders.create` and
     * shut it down when the broker or clients are closed. It's straightforward to do the former, but it's more
     * complicated to do the latter without making the consumer API more complex.
     */
public static LoginManager acquireLoginManager(JaasContext jaasContext, boolean hasKerberos, Map<String, ?> configs) throws IOException, LoginException {
    synchronized (LoginManager.class) {
        // SASL_JAAS_CONFIG is only supported by clients
        LoginManager loginManager;
        Password jaasConfigValue = (Password) configs.get(SaslConfigs.SASL_JAAS_CONFIG);
        if (jaasContext.type() == JaasContext.Type.CLIENT && jaasConfigValue != null) {
            loginManager = DYNAMIC_INSTANCES.get(jaasConfigValue);
            if (loginManager == null) {
                loginManager = new LoginManager(jaasContext, hasKerberos, configs, jaasConfigValue);
                DYNAMIC_INSTANCES.put(jaasConfigValue, loginManager);
            }
        } else {
            loginManager = STATIC_INSTANCES.get(jaasContext.name());
            if (loginManager == null) {
                loginManager = new LoginManager(jaasContext, hasKerberos, configs, jaasConfigValue);
                STATIC_INSTANCES.put(jaasContext.name(), loginManager);
            }
        }
        return loginManager.acquire();
    }
}

Example 2 with Password

use of org.apache.kafka.common.config.types.Password in project kafka by apache.

the class JaasContext method load.

static JaasContext load(JaasContext.Type contextType, String listenerContextName, String globalContextName, Map<String, ?> configs) {
    Password jaasConfigArgs = (Password) configs.get(SaslConfigs.SASL_JAAS_CONFIG);
    if (jaasConfigArgs != null) {
        if (contextType == JaasContext.Type.SERVER)
            throw new IllegalArgumentException("JAAS config property not supported for server");
        else {
            JaasConfig jaasConfig = new JaasConfig(globalContextName, jaasConfigArgs.value());
            AppConfigurationEntry[] clientModules = jaasConfig.getAppConfigurationEntry(globalContextName);
            int numModules = clientModules == null ? 0 : clientModules.length;
            if (numModules != 1)
                throw new IllegalArgumentException("JAAS config property contains " + numModules + " login modules, should be 1 module");
            return new JaasContext(globalContextName, contextType, jaasConfig);
        }
    } else
        return defaultContext(contextType, listenerContextName, globalContextName);
}

Example 3 with Password

use of org.apache.kafka.common.config.types.Password in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testClientDynamicJaasConfiguration.

/**
 * Tests dynamic JAAS configuration property for SASL clients. Invalid client credentials
 * are set in the static JVM-wide configuration instance to ensure that the dynamic
 * property override is used during authentication.
 */
@Test
public void testClientDynamicJaasConfiguration() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
    saslServerConfigs.put(BrokerSecurityConfigs.SASL_ENABLED_MECHANISMS_CONFIG, Arrays.asList("PLAIN"));
    Map<String, Object> serverOptions = new HashMap<>();
    serverOptions.put("user_user1", "user1-secret");
    serverOptions.put("user_user2", "user2-secret");
    TestJaasConfig staticJaasConfig = new TestJaasConfig();
    staticJaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_SERVER, PlainLoginModule.class.getName(), serverOptions);
    staticJaasConfig.setClientOptions("PLAIN", "user1", "invalidpassword");
    Configuration.setConfiguration(staticJaasConfig);
    server = createEchoServer(securityProtocol);
    // Check that client using static Jaas config does not connect since password is invalid
    createAndCheckClientConnectionFailure(securityProtocol, "1");
    // Check that 'user1' can connect with a Jaas config property override
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user1-secret"));
    createAndCheckClientConnection(securityProtocol, "2");
    // Check that invalid password specified as Jaas config property results in connection failure
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user2-secret"));
    createAndCheckClientConnectionFailure(securityProtocol, "3");
    // Check that another user 'user2' can also connect with a Jaas config override without any changes to static configuration
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret"));
    createAndCheckClientConnection(securityProtocol, "4");
    // Check that clients specifying multiple login modules fail even if the credentials are valid
    String module1 = TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user1-secret").value();
    String module2 = TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret").value();
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, new Password(module1 + " " + module2));
    try {
        createClientConnection(securityProtocol, "1");
        fail("Connection created with multiple login modules in sasl.jaas.config");
    } catch (IllegalArgumentException e) {
    // Expected
    }
}

Example 4 with Password

use of org.apache.kafka.common.config.types.Password in project apache-kafka-on-k8s by banzaicloud.

the class LoginManager method acquireLoginManager.

/**
 * Returns an instance of `LoginManager` and increases its reference count.
 *
 * `release()` should be invoked when the `LoginManager` is no longer needed. This method will try to reuse an
 * existing `LoginManager` for the provided context type. If `jaasContext` was loaded from a dynamic config,
 * login managers are reused for the same dynamic config value. For `jaasContext` loaded from static JAAS
 * configuration, login managers are reused for static contexts with the same login context name.
 *
 * This is a bit ugly and it would be nicer if we could pass the `LoginManager` to `ChannelBuilders.create` and
 * shut it down when the broker or clients are closed. It's straightforward to do the former, but it's more
 * complicated to do the latter without making the consumer API more complex.
 *
 * @param jaasContext Static or dynamic JAAS context. `jaasContext.dynamicJaasConfig()` is non-null for dynamic context.
 *                    For static contexts, this may contain multiple login modules if the context type is SERVER.
 *                    For CLIENT static contexts and dynamic contexts of CLIENT and SERVER, 'jaasContext` contains
 *                    only one login module.
 * @param saslMechanism SASL mechanism for which login manager is being acquired. For dynamic contexts, the single
 *                      login module in `jaasContext` corresponds to this SASL mechanism. Hence `Login` class is
 *                      chosen based on this mechanism.
 * @param hasKerberos Boolean flag that indicates if Kerberos is enabled for the server listener or client. Since
 *                    static broker configuration may contain multiple login modules in a login context, KerberosLogin
 *                    must be used if Kerberos is enabled on the listener, even if `saslMechanism` is not GSSAPI.
 * @param configs Config options used to configure `Login` if a new login manager is created.
 */
public static LoginManager acquireLoginManager(JaasContext jaasContext, String saslMechanism, boolean hasKerberos, Map<String, ?> configs) throws IOException, LoginException {
    synchronized (LoginManager.class) {
        LoginManager loginManager;
        Password jaasConfigValue = jaasContext.dynamicJaasConfig();
        if (jaasConfigValue != null) {
            loginManager = DYNAMIC_INSTANCES.get(jaasConfigValue);
            if (loginManager == null) {
                loginManager = new LoginManager(jaasContext, saslMechanism.equals(SaslConfigs.GSSAPI_MECHANISM), configs, jaasConfigValue);
                DYNAMIC_INSTANCES.put(jaasConfigValue, loginManager);
            }
        } else {
            loginManager = STATIC_INSTANCES.get(jaasContext.name());
            if (loginManager == null) {
                loginManager = new LoginManager(jaasContext, hasKerberos, configs, jaasContext.name());
                STATIC_INSTANCES.put(jaasContext.name(), loginManager);
            }
        }
        return loginManager.acquire();
    }
}

Example 5 with Password

use of org.apache.kafka.common.config.types.Password in project apache-kafka-on-k8s by banzaicloud.

the class SslFactory method configure.

@Override
public void configure(Map<String, ?> configs) throws KafkaException {
    this.protocol = (String) configs.get(SslConfigs.SSL_PROTOCOL_CONFIG);
    this.provider = (String) configs.get(SslConfigs.SSL_PROVIDER_CONFIG);
    @SuppressWarnings("unchecked") List<String> cipherSuitesList = (List<String>) configs.get(SslConfigs.SSL_CIPHER_SUITES_CONFIG);
    if (cipherSuitesList != null && !cipherSuitesList.isEmpty())
        this.cipherSuites = cipherSuitesList.toArray(new String[cipherSuitesList.size()]);
    @SuppressWarnings("unchecked") List<String> enabledProtocolsList = (List<String>) configs.get(SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG);
    if (enabledProtocolsList != null && !enabledProtocolsList.isEmpty())
        this.enabledProtocols = enabledProtocolsList.toArray(new String[enabledProtocolsList.size()]);
    String endpointIdentification = (String) configs.get(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG);
    if (endpointIdentification != null)
        this.endpointIdentification = endpointIdentification;
    String secureRandomImplementation = (String) configs.get(SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG);
    if (secureRandomImplementation != null) {
        try {
            this.secureRandomImplementation = SecureRandom.getInstance(secureRandomImplementation);
        } catch (GeneralSecurityException e) {
            throw new KafkaException(e);
        }
    }
    String clientAuthConfig = clientAuthConfigOverride;
    if (clientAuthConfig == null)
        clientAuthConfig = (String) configs.get(BrokerSecurityConfigs.SSL_CLIENT_AUTH_CONFIG);
    if (clientAuthConfig != null) {
        if (clientAuthConfig.equals("required"))
            this.needClientAuth = true;
        else if (clientAuthConfig.equals("requested"))
            this.wantClientAuth = true;
    }
    this.kmfAlgorithm = (String) configs.get(SslConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG);
    this.tmfAlgorithm = (String) configs.get(SslConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
    this.keystore = createKeystore((String) configs.get(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG), (String) configs.get(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG), (Password) configs.get(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG), (Password) configs.get(SslConfigs.SSL_KEY_PASSWORD_CONFIG));
    this.truststore = createTruststore((String) configs.get(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG), (String) configs.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG), (Password) configs.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
    try {
        this.sslContext = createSSLContext(keystore);
    } catch (Exception e) {
        throw new KafkaException(e);
    }
}