use of org.apache.kafka.common.network.ListenerName in project kafka by apache.
the class SaslServerAuthenticatorTest method setupAuthenticator.
private SaslServerAuthenticator setupAuthenticator(Map<String, ?> configs, TransportLayer transportLayer, String mechanism, ChannelMetadataRegistry metadataRegistry) {
TestJaasConfig jaasConfig = new TestJaasConfig();
jaasConfig.addEntry("jaasContext", PlainLoginModule.class.getName(), new HashMap<String, Object>());
Map<String, Subject> subjects = Collections.singletonMap(mechanism, new Subject());
Map<String, AuthenticateCallbackHandler> callbackHandlers = Collections.singletonMap(mechanism, new SaslServerCallbackHandler());
ApiVersionsResponse apiVersionsResponse = ApiVersionsResponse.defaultApiVersionsResponse(ApiMessageType.ListenerType.ZK_BROKER);
return new SaslServerAuthenticator(configs, callbackHandlers, "node", subjects, null, new ListenerName("ssl"), SecurityProtocol.SASL_SSL, transportLayer, Collections.emptyMap(), metadataRegistry, Time.SYSTEM, () -> apiVersionsResponse);
}
use of org.apache.kafka.common.network.ListenerName in project kafka by apache.
the class SaslAuthenticatorTest method testJaasConfigurationForListener.
@Test
public void testJaasConfigurationForListener() throws Exception {
SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
saslServerConfigs.put(BrokerSecurityConfigs.SASL_ENABLED_MECHANISMS_CONFIG, Arrays.asList("PLAIN"));
TestJaasConfig staticJaasConfig = new TestJaasConfig();
Map<String, Object> globalServerOptions = new HashMap<>();
globalServerOptions.put("user_global1", "gsecret1");
globalServerOptions.put("user_global2", "gsecret2");
staticJaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_SERVER, PlainLoginModule.class.getName(), globalServerOptions);
Map<String, Object> clientListenerServerOptions = new HashMap<>();
clientListenerServerOptions.put("user_client1", "csecret1");
clientListenerServerOptions.put("user_client2", "csecret2");
String clientJaasEntryName = "client." + TestJaasConfig.LOGIN_CONTEXT_SERVER;
staticJaasConfig.createOrUpdateEntry(clientJaasEntryName, PlainLoginModule.class.getName(), clientListenerServerOptions);
Configuration.setConfiguration(staticJaasConfig);
// Listener-specific credentials
server = createEchoServer(new ListenerName("client"), securityProtocol);
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "client1", "csecret1"));
createAndCheckClientConnection(securityProtocol, "1");
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "global1", "gsecret1"));
createAndCheckClientConnectionFailure(securityProtocol, "2");
server.close();
// Global credentials as there is no listener-specific JAAS entry
server = createEchoServer(new ListenerName("other"), securityProtocol);
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "global1", "gsecret1"));
createAndCheckClientConnection(securityProtocol, "3");
saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "client1", "csecret1"));
createAndCheckClientConnectionFailure(securityProtocol, "4");
}
use of org.apache.kafka.common.network.ListenerName in project kafka by apache.
the class SaslAuthenticatorTest method testServerLoginCallbackOverride.
/**
* Tests SASL server login callback class override.
*/
@Test
public void testServerLoginCallbackOverride() throws Exception {
SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
TestJaasConfig jaasConfig = configureMechanisms("PLAIN", Collections.singletonList("PLAIN"));
jaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_SERVER, TestPlainLoginModule.class.getName(), Collections.emptyMap());
jaasConfig.setClientOptions("PLAIN", TestServerCallbackHandler.USERNAME, TestServerCallbackHandler.PASSWORD);
ListenerName listenerName = ListenerName.forSecurityProtocol(securityProtocol);
String prefix = listenerName.saslMechanismConfigPrefix("PLAIN");
saslServerConfigs.put(prefix + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS, TestServerCallbackHandler.class);
Class<?> loginCallback = TestLoginCallbackHandler.class;
try {
createEchoServer(securityProtocol);
fail("Should have failed to create server with default login handler");
} catch (KafkaException e) {
// Expected exception
}
try {
saslServerConfigs.put(SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS, loginCallback);
createEchoServer(securityProtocol);
fail("Should have failed to create server with login handler config without listener+mechanism prefix");
} catch (KafkaException e) {
// Expected exception
saslServerConfigs.remove(SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS);
}
try {
saslServerConfigs.put("plain." + SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS, loginCallback);
createEchoServer(securityProtocol);
fail("Should have failed to create server with login handler config without listener prefix");
} catch (KafkaException e) {
// Expected exception
saslServerConfigs.remove("plain." + SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS);
}
try {
saslServerConfigs.put(listenerName.configPrefix() + SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS, loginCallback);
createEchoServer(securityProtocol);
fail("Should have failed to create server with login handler config without mechanism prefix");
} catch (KafkaException e) {
// Expected exception
saslServerConfigs.remove("plain." + SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS);
}
// Connection should succeed using login callback override for mechanism
saslServerConfigs.put(prefix + SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS, loginCallback);
server = createEchoServer(securityProtocol);
createAndCheckClientConnection(securityProtocol, "1");
}
use of org.apache.kafka.common.network.ListenerName in project kafka by apache.
the class SaslAuthenticatorTest method testAuthenticateCallbackHandlerMechanisms.
/**
* Test that callback handlers are only applied to connections for the mechanisms
* configured for the handler. Test enables two mechanisms 'PLAIN` and `DIGEST-MD5`
* on the servers with different callback handlers for the two mechanisms. Verifies
* that clients using both mechanisms authenticate successfully.
*/
@Test
public void testAuthenticateCallbackHandlerMechanisms() throws Exception {
SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
TestJaasConfig jaasConfig = configureMechanisms("DIGEST-MD5", Arrays.asList("DIGEST-MD5", "PLAIN"));
// Connections should fail using the digest callback handler if listener.mechanism prefix not specified
saslServerConfigs.put("plain." + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS, TestServerCallbackHandler.class);
saslServerConfigs.put("digest-md5." + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS, DigestServerCallbackHandler.class);
server = createEchoServer(securityProtocol);
createAndCheckClientConnectionFailure(securityProtocol, "invalid");
// Connections should succeed using the server callback handler associated with the listener
ListenerName listener = ListenerName.forSecurityProtocol(securityProtocol);
saslServerConfigs.remove("plain." + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS);
saslServerConfigs.remove("digest-md5." + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS);
saslServerConfigs.put(listener.saslMechanismConfigPrefix("plain") + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS, TestServerCallbackHandler.class);
saslServerConfigs.put(listener.saslMechanismConfigPrefix("digest-md5") + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS, DigestServerCallbackHandler.class);
server = createEchoServer(securityProtocol);
// Verify that DIGEST-MD5 (currently configured for client) works with `DigestServerCallbackHandler`
createAndCheckClientConnection(securityProtocol, "good-digest-md5");
// Verify that PLAIN works with `TestServerCallbackHandler`
jaasConfig.setClientOptions("PLAIN", TestServerCallbackHandler.USERNAME, TestServerCallbackHandler.PASSWORD);
saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
createAndCheckClientConnection(securityProtocol, "good-plain");
}
use of org.apache.kafka.common.network.ListenerName in project kafka by apache.
the class EmbeddedKafkaCluster method doStart.
private void doStart() {
brokerConfig.put(KafkaConfig.ZkConnectProp(), zKConnectString());
putIfAbsent(brokerConfig, KafkaConfig.DeleteTopicEnableProp(), true);
putIfAbsent(brokerConfig, KafkaConfig.GroupInitialRebalanceDelayMsProp(), 0);
putIfAbsent(brokerConfig, KafkaConfig.OffsetsTopicReplicationFactorProp(), (short) brokers.length);
putIfAbsent(brokerConfig, KafkaConfig.AutoCreateTopicsEnableProp(), false);
// reduce the size of the log cleaner map to reduce test memory usage
putIfAbsent(brokerConfig, KafkaConfig.LogCleanerDedupeBufferSizeProp(), 2 * 1024 * 1024L);
Object listenerConfig = brokerConfig.get(KafkaConfig.InterBrokerListenerNameProp());
if (listenerConfig == null)
listenerConfig = brokerConfig.get(KafkaConfig.InterBrokerSecurityProtocolProp());
if (listenerConfig == null)
listenerConfig = "PLAINTEXT";
listenerName = new ListenerName(listenerConfig.toString());
for (int i = 0; i < brokers.length; i++) {
brokerConfig.put(KafkaConfig.BrokerIdProp(), i);
currentBrokerLogDirs[i] = currentBrokerLogDirs[i] == null ? createLogDir() : currentBrokerLogDirs[i];
brokerConfig.put(KafkaConfig.LogDirProp(), currentBrokerLogDirs[i]);
if (!hasListenerConfig)
brokerConfig.put(KafkaConfig.ListenersProp(), listenerName.value() + "://localhost:" + currentBrokerPorts[i]);
brokers[i] = TestUtils.createServer(new KafkaConfig(brokerConfig, true), time);
currentBrokerPorts[i] = brokers[i].boundPort(listenerName);
}
Map<String, Object> producerProps = new HashMap<>();
producerProps.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, bootstrapServers());
if (sslEnabled()) {
producerProps.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, brokerConfig.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG));
producerProps.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, brokerConfig.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG));
producerProps.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SSL");
}
producer = new KafkaProducer<>(producerProps, new ByteArraySerializer(), new ByteArraySerializer());
}
Aggregations