Search in sources :

Example 11 with ListenerName

use of org.apache.kafka.common.network.ListenerName in project kafka by apache.

the class SaslServerAuthenticatorTest method setupAuthenticator.

private SaslServerAuthenticator setupAuthenticator(Map<String, ?> configs, TransportLayer transportLayer, String mechanism, ChannelMetadataRegistry metadataRegistry) {
    TestJaasConfig jaasConfig = new TestJaasConfig();
    jaasConfig.addEntry("jaasContext", PlainLoginModule.class.getName(), new HashMap<String, Object>());
    Map<String, Subject> subjects = Collections.singletonMap(mechanism, new Subject());
    Map<String, AuthenticateCallbackHandler> callbackHandlers = Collections.singletonMap(mechanism, new SaslServerCallbackHandler());
    ApiVersionsResponse apiVersionsResponse = ApiVersionsResponse.defaultApiVersionsResponse(ApiMessageType.ListenerType.ZK_BROKER);
    return new SaslServerAuthenticator(configs, callbackHandlers, "node", subjects, null, new ListenerName("ssl"), SecurityProtocol.SASL_SSL, transportLayer, Collections.emptyMap(), metadataRegistry, Time.SYSTEM, () -> apiVersionsResponse);
}
Also used : ApiVersionsResponse(org.apache.kafka.common.requests.ApiVersionsResponse) PlainLoginModule(org.apache.kafka.common.security.plain.PlainLoginModule) AuthenticateCallbackHandler(org.apache.kafka.common.security.auth.AuthenticateCallbackHandler) ListenerName(org.apache.kafka.common.network.ListenerName) Subject(javax.security.auth.Subject)

Example 12 with ListenerName

use of org.apache.kafka.common.network.ListenerName in project kafka by apache.

the class SaslAuthenticatorTest method testJaasConfigurationForListener.

@Test
public void testJaasConfigurationForListener() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
    saslServerConfigs.put(BrokerSecurityConfigs.SASL_ENABLED_MECHANISMS_CONFIG, Arrays.asList("PLAIN"));
    TestJaasConfig staticJaasConfig = new TestJaasConfig();
    Map<String, Object> globalServerOptions = new HashMap<>();
    globalServerOptions.put("user_global1", "gsecret1");
    globalServerOptions.put("user_global2", "gsecret2");
    staticJaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_SERVER, PlainLoginModule.class.getName(), globalServerOptions);
    Map<String, Object> clientListenerServerOptions = new HashMap<>();
    clientListenerServerOptions.put("user_client1", "csecret1");
    clientListenerServerOptions.put("user_client2", "csecret2");
    String clientJaasEntryName = "client." + TestJaasConfig.LOGIN_CONTEXT_SERVER;
    staticJaasConfig.createOrUpdateEntry(clientJaasEntryName, PlainLoginModule.class.getName(), clientListenerServerOptions);
    Configuration.setConfiguration(staticJaasConfig);
    // Listener-specific credentials
    server = createEchoServer(new ListenerName("client"), securityProtocol);
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "client1", "csecret1"));
    createAndCheckClientConnection(securityProtocol, "1");
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "global1", "gsecret1"));
    createAndCheckClientConnectionFailure(securityProtocol, "2");
    server.close();
    // Global credentials as there is no listener-specific JAAS entry
    server = createEchoServer(new ListenerName("other"), securityProtocol);
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "global1", "gsecret1"));
    createAndCheckClientConnection(securityProtocol, "3");
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "client1", "csecret1"));
    createAndCheckClientConnectionFailure(securityProtocol, "4");
}
Also used : HashMap(java.util.HashMap) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) PlainLoginModule(org.apache.kafka.common.security.plain.PlainLoginModule) ListenerName(org.apache.kafka.common.network.ListenerName) Test(org.junit.jupiter.api.Test)

Example 13 with ListenerName

use of org.apache.kafka.common.network.ListenerName in project kafka by apache.

the class SaslAuthenticatorTest method testServerLoginCallbackOverride.

/**
 * Tests SASL server login callback class override.
 */
@Test
public void testServerLoginCallbackOverride() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    TestJaasConfig jaasConfig = configureMechanisms("PLAIN", Collections.singletonList("PLAIN"));
    jaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_SERVER, TestPlainLoginModule.class.getName(), Collections.emptyMap());
    jaasConfig.setClientOptions("PLAIN", TestServerCallbackHandler.USERNAME, TestServerCallbackHandler.PASSWORD);
    ListenerName listenerName = ListenerName.forSecurityProtocol(securityProtocol);
    String prefix = listenerName.saslMechanismConfigPrefix("PLAIN");
    saslServerConfigs.put(prefix + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS, TestServerCallbackHandler.class);
    Class<?> loginCallback = TestLoginCallbackHandler.class;
    try {
        createEchoServer(securityProtocol);
        fail("Should have failed to create server with default login handler");
    } catch (KafkaException e) {
    // Expected exception
    }
    try {
        saslServerConfigs.put(SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS, loginCallback);
        createEchoServer(securityProtocol);
        fail("Should have failed to create server with login handler config without listener+mechanism prefix");
    } catch (KafkaException e) {
        // Expected exception
        saslServerConfigs.remove(SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS);
    }
    try {
        saslServerConfigs.put("plain." + SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS, loginCallback);
        createEchoServer(securityProtocol);
        fail("Should have failed to create server with login handler config without listener prefix");
    } catch (KafkaException e) {
        // Expected exception
        saslServerConfigs.remove("plain." + SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS);
    }
    try {
        saslServerConfigs.put(listenerName.configPrefix() + SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS, loginCallback);
        createEchoServer(securityProtocol);
        fail("Should have failed to create server with login handler config without mechanism prefix");
    } catch (KafkaException e) {
        // Expected exception
        saslServerConfigs.remove("plain." + SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS);
    }
    // Connection should succeed using login callback override for mechanism
    saslServerConfigs.put(prefix + SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS, loginCallback);
    server = createEchoServer(securityProtocol);
    createAndCheckClientConnection(securityProtocol, "1");
}
Also used : SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) KafkaException(org.apache.kafka.common.KafkaException) ListenerName(org.apache.kafka.common.network.ListenerName) Test(org.junit.jupiter.api.Test)

Example 14 with ListenerName

use of org.apache.kafka.common.network.ListenerName in project kafka by apache.

the class SaslAuthenticatorTest method testAuthenticateCallbackHandlerMechanisms.

/**
 * Test that callback handlers are only applied to connections for the mechanisms
 * configured for the handler. Test enables two mechanisms 'PLAIN` and `DIGEST-MD5`
 * on the servers with different callback handlers for the two mechanisms. Verifies
 * that clients using both mechanisms authenticate successfully.
 */
@Test
public void testAuthenticateCallbackHandlerMechanisms() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    TestJaasConfig jaasConfig = configureMechanisms("DIGEST-MD5", Arrays.asList("DIGEST-MD5", "PLAIN"));
    // Connections should fail using the digest callback handler if listener.mechanism prefix not specified
    saslServerConfigs.put("plain." + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS, TestServerCallbackHandler.class);
    saslServerConfigs.put("digest-md5." + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS, DigestServerCallbackHandler.class);
    server = createEchoServer(securityProtocol);
    createAndCheckClientConnectionFailure(securityProtocol, "invalid");
    // Connections should succeed using the server callback handler associated with the listener
    ListenerName listener = ListenerName.forSecurityProtocol(securityProtocol);
    saslServerConfigs.remove("plain." + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS);
    saslServerConfigs.remove("digest-md5." + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS);
    saslServerConfigs.put(listener.saslMechanismConfigPrefix("plain") + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS, TestServerCallbackHandler.class);
    saslServerConfigs.put(listener.saslMechanismConfigPrefix("digest-md5") + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS, DigestServerCallbackHandler.class);
    server = createEchoServer(securityProtocol);
    // Verify that DIGEST-MD5 (currently configured for client) works with `DigestServerCallbackHandler`
    createAndCheckClientConnection(securityProtocol, "good-digest-md5");
    // Verify that PLAIN works with `TestServerCallbackHandler`
    jaasConfig.setClientOptions("PLAIN", TestServerCallbackHandler.USERNAME, TestServerCallbackHandler.PASSWORD);
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
    createAndCheckClientConnection(securityProtocol, "good-plain");
}
Also used : SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) ListenerName(org.apache.kafka.common.network.ListenerName) Test(org.junit.jupiter.api.Test)

Example 15 with ListenerName

use of org.apache.kafka.common.network.ListenerName in project kafka by apache.

the class EmbeddedKafkaCluster method doStart.

private void doStart() {
    brokerConfig.put(KafkaConfig.ZkConnectProp(), zKConnectString());
    putIfAbsent(brokerConfig, KafkaConfig.DeleteTopicEnableProp(), true);
    putIfAbsent(brokerConfig, KafkaConfig.GroupInitialRebalanceDelayMsProp(), 0);
    putIfAbsent(brokerConfig, KafkaConfig.OffsetsTopicReplicationFactorProp(), (short) brokers.length);
    putIfAbsent(brokerConfig, KafkaConfig.AutoCreateTopicsEnableProp(), false);
    // reduce the size of the log cleaner map to reduce test memory usage
    putIfAbsent(brokerConfig, KafkaConfig.LogCleanerDedupeBufferSizeProp(), 2 * 1024 * 1024L);
    Object listenerConfig = brokerConfig.get(KafkaConfig.InterBrokerListenerNameProp());
    if (listenerConfig == null)
        listenerConfig = brokerConfig.get(KafkaConfig.InterBrokerSecurityProtocolProp());
    if (listenerConfig == null)
        listenerConfig = "PLAINTEXT";
    listenerName = new ListenerName(listenerConfig.toString());
    for (int i = 0; i < brokers.length; i++) {
        brokerConfig.put(KafkaConfig.BrokerIdProp(), i);
        currentBrokerLogDirs[i] = currentBrokerLogDirs[i] == null ? createLogDir() : currentBrokerLogDirs[i];
        brokerConfig.put(KafkaConfig.LogDirProp(), currentBrokerLogDirs[i]);
        if (!hasListenerConfig)
            brokerConfig.put(KafkaConfig.ListenersProp(), listenerName.value() + "://localhost:" + currentBrokerPorts[i]);
        brokers[i] = TestUtils.createServer(new KafkaConfig(brokerConfig, true), time);
        currentBrokerPorts[i] = brokers[i].boundPort(listenerName);
    }
    Map<String, Object> producerProps = new HashMap<>();
    producerProps.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, bootstrapServers());
    if (sslEnabled()) {
        producerProps.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, brokerConfig.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG));
        producerProps.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, brokerConfig.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
        producerProps.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL");
    }
    producer = new KafkaProducer<>(producerProps, new ByteArraySerializer(), new ByteArraySerializer());
}
Also used : HashMap(java.util.HashMap) ListenerName(org.apache.kafka.common.network.ListenerName) ByteArraySerializer(org.apache.kafka.common.serialization.ByteArraySerializer) EndPoint(kafka.cluster.EndPoint) KafkaConfig(kafka.server.KafkaConfig)

Aggregations

ListenerName (org.apache.kafka.common.network.ListenerName)27 HashMap (java.util.HashMap)11 JaasContext (org.apache.kafka.common.security.JaasContext)9 Test (org.junit.jupiter.api.Test)8 Test (org.junit.Test)7 SaslChannelBuilder (org.apache.kafka.common.network.SaslChannelBuilder)5 ApiVersionsResponse (org.apache.kafka.common.requests.ApiVersionsResponse)5 SecurityProtocol (org.apache.kafka.common.security.auth.SecurityProtocol)5 Map (java.util.Map)4 Subject (javax.security.auth.Subject)4 TransportLayer (org.apache.kafka.common.network.TransportLayer)4 PlainLoginModule (org.apache.kafka.common.security.plain.PlainLoginModule)4 ByteBuffer (java.nio.ByteBuffer)3 ArrayList (java.util.ArrayList)3 ApiVersionsResponseData (org.apache.kafka.common.message.ApiVersionsResponseData)3 ApiVersionCollection (org.apache.kafka.common.message.ApiVersionsResponseData.ApiVersionCollection)3 NioEchoServer (org.apache.kafka.common.network.NioEchoServer)3 TestSecurityConfig (org.apache.kafka.common.security.TestSecurityConfig)3 LogContext (org.apache.kafka.common.utils.LogContext)3 InetSocketAddress (java.net.InetSocketAddress)2