Examples with UnsupportedSaslMechanismException org.apache.kafka.common.errors.UnsupportedSaslMechanismException used on opensource projects

Example 1 with UnsupportedSaslMechanismException

use of org.apache.kafka.common.errors.UnsupportedSaslMechanismException in project kafka by apache.

the class KafkaAdminClient method alterUserScramCredentials.

@Override
public AlterUserScramCredentialsResult alterUserScramCredentials(List<UserScramCredentialAlteration> alterations, AlterUserScramCredentialsOptions options) {
    final long now = time.milliseconds();
    final Map<String, KafkaFutureImpl<Void>> futures = new HashMap<>();
    for (UserScramCredentialAlteration alteration : alterations) {
        futures.put(alteration.user(), new KafkaFutureImpl<>());
    }
    final Map<String, Exception> userIllegalAlterationExceptions = new HashMap<>();
    // We need to keep track of users with deletions of an unknown SCRAM mechanism
    final String usernameMustNotBeEmptyMsg = "Username must not be empty";
    String passwordMustNotBeEmptyMsg = "Password must not be empty";
    final String unknownScramMechanismMsg = "Unknown SCRAM mechanism";
    alterations.stream().filter(a -> a instanceof UserScramCredentialDeletion).forEach(alteration -> {
        final String user = alteration.user();
        if (user == null || user.isEmpty()) {
            userIllegalAlterationExceptions.put(alteration.user(), new UnacceptableCredentialException(usernameMustNotBeEmptyMsg));
        } else {
            UserScramCredentialDeletion deletion = (UserScramCredentialDeletion) alteration;
            ScramMechanism mechanism = deletion.mechanism();
            if (mechanism == null || mechanism == ScramMechanism.UNKNOWN) {
                userIllegalAlterationExceptions.put(user, new UnsupportedSaslMechanismException(unknownScramMechanismMsg));
            }
        }
    });
    // Creating an upsertion may throw InvalidKeyException or NoSuchAlgorithmException,
    // so keep track of which users are affected by such a failure so we can fail all their alterations later
    final Map<String, Map<ScramMechanism, AlterUserScramCredentialsRequestData.ScramCredentialUpsertion>> userInsertions = new HashMap<>();
    alterations.stream().filter(a -> a instanceof UserScramCredentialUpsertion).filter(alteration -> !userIllegalAlterationExceptions.containsKey(alteration.user())).forEach(alteration -> {
        final String user = alteration.user();
        if (user == null || user.isEmpty()) {
            userIllegalAlterationExceptions.put(alteration.user(), new UnacceptableCredentialException(usernameMustNotBeEmptyMsg));
        } else {
            UserScramCredentialUpsertion upsertion = (UserScramCredentialUpsertion) alteration;
            try {
                byte[] password = upsertion.password();
                if (password == null || password.length == 0) {
                    userIllegalAlterationExceptions.put(user, new UnacceptableCredentialException(passwordMustNotBeEmptyMsg));
                } else {
                    ScramMechanism mechanism = upsertion.credentialInfo().mechanism();
                    if (mechanism == null || mechanism == ScramMechanism.UNKNOWN) {
                        userIllegalAlterationExceptions.put(user, new UnsupportedSaslMechanismException(unknownScramMechanismMsg));
                    } else {
                        userInsertions.putIfAbsent(user, new HashMap<>());
                        userInsertions.get(user).put(mechanism, getScramCredentialUpsertion(upsertion));
                    }
                }
            } catch (NoSuchAlgorithmException e) {
                // we might overwrite an exception from a previous alteration, but we don't really care
                // since we just need to mark this user as having at least one illegal alteration
                // and make an exception instance available for completing the corresponding future exceptionally
                userIllegalAlterationExceptions.put(user, new UnsupportedSaslMechanismException(unknownScramMechanismMsg));
            } catch (InvalidKeyException e) {
                // generally shouldn't happen since we deal with the empty password case above,
                // but we still need to catch/handle it
                userIllegalAlterationExceptions.put(user, new UnacceptableCredentialException(e.getMessage(), e));
            }
        }
    });
    // submit alterations only for users that do not have an illegal alteration as identified above
    Call call = new Call("alterUserScramCredentials", calcDeadlineMs(now, options.timeoutMs()), new ControllerNodeProvider()) {

        @Override
        public AlterUserScramCredentialsRequest.Builder createRequest(int timeoutMs) {
            return new AlterUserScramCredentialsRequest.Builder(new AlterUserScramCredentialsRequestData().setUpsertions(alterations.stream().filter(a -> a instanceof UserScramCredentialUpsertion).filter(a -> !userIllegalAlterationExceptions.containsKey(a.user())).map(a -> userInsertions.get(a.user()).get(((UserScramCredentialUpsertion) a).credentialInfo().mechanism())).collect(Collectors.toList())).setDeletions(alterations.stream().filter(a -> a instanceof UserScramCredentialDeletion).filter(a -> !userIllegalAlterationExceptions.containsKey(a.user())).map(d -> getScramCredentialDeletion((UserScramCredentialDeletion) d)).collect(Collectors.toList())));
        }

        @Override
        public void handleResponse(AbstractResponse abstractResponse) {
            AlterUserScramCredentialsResponse response = (AlterUserScramCredentialsResponse) abstractResponse;
            // Check for controller change
            for (Errors error : response.errorCounts().keySet()) {
                if (error == Errors.NOT_CONTROLLER) {
                    handleNotControllerError(error);
                }
            }
            /* Now that we have the results for the ones we sent,
                 * fail any users that have an illegal alteration as identified above.
                 * Be sure to do this after the NOT_CONTROLLER error check above
                 * so that all errors are consistent in that case.
                 */
            userIllegalAlterationExceptions.entrySet().stream().forEach(entry -> {
                futures.get(entry.getKey()).completeExceptionally(entry.getValue());
            });
            response.data().results().forEach(result -> {
                KafkaFutureImpl<Void> future = futures.get(result.user());
                if (future == null) {
                    log.warn("Server response mentioned unknown user {}", result.user());
                } else {
                    Errors error = Errors.forCode(result.errorCode());
                    if (error != Errors.NONE) {
                        future.completeExceptionally(error.exception(result.errorMessage()));
                    } else {
                        future.complete(null);
                    }
                }
            });
            completeUnrealizedFutures(futures.entrySet().stream(), user -> "The broker response did not contain a result for user " + user);
        }

        @Override
        void handleFailure(Throwable throwable) {
            completeAllExceptionally(futures.values(), throwable);
        }
    };
    runnable.call(call, now);
    return new AlterUserScramCredentialsResult(new HashMap<>(futures));
}

Example 2 with UnsupportedSaslMechanismException

use of org.apache.kafka.common.errors.UnsupportedSaslMechanismException in project kafka by apache.

the class SaslServerAuthenticator method handleKafkaRequest.

private boolean handleKafkaRequest(byte[] requestBytes) throws IOException, AuthenticationException {
    boolean isKafkaRequest = false;
    String clientMechanism = null;
    try {
        ByteBuffer requestBuffer = ByteBuffer.wrap(requestBytes);
        RequestHeader header = RequestHeader.parse(requestBuffer);
        ApiKeys apiKey = header.apiKey();
        // following a SaslHandshakeRequest since this is not a GSSAPI client token from a Kafka 0.9.0.x client.
        if (saslState == SaslState.INITIAL_REQUEST)
            setSaslState(SaslState.HANDSHAKE_OR_VERSIONS_REQUEST);
        isKafkaRequest = true;
        // unnecessary exposure to some of the more complex schema types.
        if (apiKey != ApiKeys.API_VERSIONS && apiKey != ApiKeys.SASL_HANDSHAKE)
            throw new IllegalSaslStateException("Unexpected Kafka request of type " + apiKey + " during SASL handshake.");
        LOG.debug("Handling Kafka request {} during {}", apiKey, reauthInfo.authenticationOrReauthenticationText());
        RequestContext requestContext = new RequestContext(header, connectionId, clientAddress(), KafkaPrincipal.ANONYMOUS, listenerName, securityProtocol, ClientInformation.EMPTY, false);
        RequestAndSize requestAndSize = requestContext.parseRequest(requestBuffer);
        if (apiKey == ApiKeys.API_VERSIONS)
            handleApiVersionsRequest(requestContext, (ApiVersionsRequest) requestAndSize.request);
        else
            clientMechanism = handleHandshakeRequest(requestContext, (SaslHandshakeRequest) requestAndSize.request);
    } catch (InvalidRequestException e) {
        if (saslState == SaslState.INITIAL_REQUEST) {
            // starting with 0x60, revert to GSSAPI for both these exceptions.
            if (LOG.isDebugEnabled()) {
                StringBuilder tokenBuilder = new StringBuilder();
                for (byte b : requestBytes) {
                    tokenBuilder.append(String.format("%02x", b));
                    if (tokenBuilder.length() >= 20)
                        break;
                }
                LOG.debug("Received client packet of length {} starting with bytes 0x{}, process as GSSAPI packet", requestBytes.length, tokenBuilder);
            }
            if (enabledMechanisms.contains(SaslConfigs.GSSAPI_MECHANISM)) {
                LOG.debug("First client packet is not a SASL mechanism request, using default mechanism GSSAPI");
                clientMechanism = SaslConfigs.GSSAPI_MECHANISM;
            } else
                throw new UnsupportedSaslMechanismException("Exception handling first SASL packet from client, GSSAPI is not supported by server", e);
        } else
            throw e;
    }
    if (clientMechanism != null && (!reauthInfo.reauthenticating() || reauthInfo.saslMechanismUnchanged(clientMechanism))) {
        createSaslServer(clientMechanism);
        setSaslState(SaslState.AUTHENTICATE);
    }
    return isKafkaRequest;
}

Example 3 with UnsupportedSaslMechanismException

use of org.apache.kafka.common.errors.UnsupportedSaslMechanismException in project kafka by apache.

the class SaslServerAuthenticator method handleHandshakeRequest.

private String handleHandshakeRequest(RequestHeader requestHeader, SaslHandshakeRequest handshakeRequest) throws IOException, UnsupportedSaslMechanismException {
    String clientMechanism = handshakeRequest.mechanism();
    if (enabledMechanisms.contains(clientMechanism)) {
        LOG.debug("Using SASL mechanism '{}' provided by client", clientMechanism);
        sendKafkaResponse(requestHeader, new SaslHandshakeResponse(Errors.NONE, enabledMechanisms));
        return clientMechanism;
    } else {
        LOG.debug("SASL mechanism '{}' requested by client is not supported", clientMechanism);
        sendKafkaResponse(requestHeader, new SaslHandshakeResponse(Errors.UNSUPPORTED_SASL_MECHANISM, enabledMechanisms));
        throw new UnsupportedSaslMechanismException("Unsupported SASL mechanism " + clientMechanism);
    }
}

Example 4 with UnsupportedSaslMechanismException

use of org.apache.kafka.common.errors.UnsupportedSaslMechanismException in project apache-kafka-on-k8s by banzaicloud.

the class SaslServerAuthenticator method handleHandshakeRequest.

private String handleHandshakeRequest(RequestContext context, SaslHandshakeRequest handshakeRequest) throws IOException, UnsupportedSaslMechanismException {
    String clientMechanism = handshakeRequest.mechanism();
    short version = context.header.apiVersion();
    if (version >= 1)
        this.enableKafkaSaslAuthenticateHeaders(true);
    if (enabledMechanisms.contains(clientMechanism)) {
        LOG.debug("Using SASL mechanism '{}' provided by client", clientMechanism);
        sendKafkaResponse(context, new SaslHandshakeResponse(Errors.NONE, enabledMechanisms));
        return clientMechanism;
    } else {
        LOG.debug("SASL mechanism '{}' requested by client is not supported", clientMechanism);
        sendKafkaResponse(context, new SaslHandshakeResponse(Errors.UNSUPPORTED_SASL_MECHANISM, enabledMechanisms));
        throw new UnsupportedSaslMechanismException("Unsupported SASL mechanism " + clientMechanism);
    }
}

Example 5 with UnsupportedSaslMechanismException

use of org.apache.kafka.common.errors.UnsupportedSaslMechanismException in project apache-kafka-on-k8s by banzaicloud.

the class SaslServerAuthenticator method handleKafkaRequest.

private boolean handleKafkaRequest(byte[] requestBytes) throws IOException, AuthenticationException {
    boolean isKafkaRequest = false;
    String clientMechanism = null;
    try {
        ByteBuffer requestBuffer = ByteBuffer.wrap(requestBytes);
        RequestHeader header = RequestHeader.parse(requestBuffer);
        ApiKeys apiKey = header.apiKey();
        // following a SaslHandshakeRequest since this is not a GSSAPI client token from a Kafka 0.9.0.x client.
        if (saslState == SaslState.INITIAL_REQUEST)
            setSaslState(SaslState.HANDSHAKE_OR_VERSIONS_REQUEST);
        isKafkaRequest = true;
        // unnecessary exposure to some of the more complex schema types.
        if (apiKey != ApiKeys.API_VERSIONS && apiKey != ApiKeys.SASL_HANDSHAKE)
            throw new IllegalSaslStateException("Unexpected Kafka request of type " + apiKey + " during SASL handshake.");
        LOG.debug("Handling Kafka request {}", apiKey);
        RequestContext requestContext = new RequestContext(header, connectionId, clientAddress(), KafkaPrincipal.ANONYMOUS, listenerName, securityProtocol);
        RequestAndSize requestAndSize = requestContext.parseRequest(requestBuffer);
        if (apiKey == ApiKeys.API_VERSIONS)
            handleApiVersionsRequest(requestContext, (ApiVersionsRequest) requestAndSize.request);
        else
            clientMechanism = handleHandshakeRequest(requestContext, (SaslHandshakeRequest) requestAndSize.request);
    } catch (InvalidRequestException e) {
        if (saslState == SaslState.INITIAL_REQUEST) {
            // starting with 0x60, revert to GSSAPI for both these exceptions.
            if (LOG.isDebugEnabled()) {
                StringBuilder tokenBuilder = new StringBuilder();
                for (byte b : requestBytes) {
                    tokenBuilder.append(String.format("%02x", b));
                    if (tokenBuilder.length() >= 20)
                        break;
                }
                LOG.debug("Received client packet of length {} starting with bytes 0x{}, process as GSSAPI packet", requestBytes.length, tokenBuilder);
            }
            if (enabledMechanisms.contains(SaslConfigs.GSSAPI_MECHANISM)) {
                LOG.debug("First client packet is not a SASL mechanism request, using default mechanism GSSAPI");
                clientMechanism = SaslConfigs.GSSAPI_MECHANISM;
            } else
                throw new UnsupportedSaslMechanismException("Exception handling first SASL packet from client, GSSAPI is not supported by server", e);
        } else
            throw e;
    }
    if (clientMechanism != null) {
        createSaslServer(clientMechanism);
        setSaslState(SaslState.AUTHENTICATE);
    }
    return isKafkaRequest;
}