Search in sources :

Example 1 with SaslAuthenticateRequest

use of org.apache.kafka.common.requests.SaslAuthenticateRequest in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method authenticateUsingSaslPlainAndCheckConnection.

private void authenticateUsingSaslPlainAndCheckConnection(String node, boolean enableSaslAuthenticateHeader) throws Exception {
    // Authenticate using PLAIN username/password
    String authString = "\u0000" + TestJaasConfig.USERNAME + "\u0000" + TestJaasConfig.PASSWORD;
    ByteBuffer authBuf = ByteBuffer.wrap(authString.getBytes("UTF-8"));
    if (enableSaslAuthenticateHeader) {
        SaslAuthenticateRequest request = new SaslAuthenticateRequest.Builder(authBuf).build();
        sendKafkaRequestReceiveResponse(node, ApiKeys.SASL_AUTHENTICATE, request);
    } else {
        selector.send(new NetworkSend(node, authBuf));
        waitForResponse();
    }
    // Check send/receive on the manually authenticated connection
    NetworkTestUtils.checkClientConnection(selector, node, 100, 10);
}
Also used : SaslAuthenticateRequest(org.apache.kafka.common.requests.SaslAuthenticateRequest) NetworkSend(org.apache.kafka.common.network.NetworkSend) ByteBuffer(java.nio.ByteBuffer)

Example 2 with SaslAuthenticateRequest

use of org.apache.kafka.common.requests.SaslAuthenticateRequest in project apache-kafka-on-k8s by banzaicloud.

the class SaslClientAuthenticator method sendSaslClientToken.

/**
 * Sends a SASL client token to server if required. This may be an initial token to start
 * SASL token exchange or response to a challenge from the server.
 * @return true if a token was sent to the server
 */
private boolean sendSaslClientToken(byte[] serverToken, boolean isInitial) throws IOException {
    if (!saslClient.isComplete()) {
        byte[] saslToken = createSaslToken(serverToken, isInitial);
        if (saslToken != null) {
            ByteBuffer tokenBuf = ByteBuffer.wrap(saslToken);
            if (saslAuthenticateVersion != DISABLE_KAFKA_SASL_AUTHENTICATE_HEADER) {
                SaslAuthenticateRequest request = new SaslAuthenticateRequest.Builder(tokenBuf).build(saslAuthenticateVersion);
                tokenBuf = request.serialize(nextRequestHeader(ApiKeys.SASL_AUTHENTICATE, saslAuthenticateVersion));
            }
            send(new NetworkSend(node, tokenBuf));
            return true;
        }
    }
    return false;
}
Also used : SaslAuthenticateRequest(org.apache.kafka.common.requests.SaslAuthenticateRequest) NetworkSend(org.apache.kafka.common.network.NetworkSend) ByteBuffer(java.nio.ByteBuffer)

Example 3 with SaslAuthenticateRequest

use of org.apache.kafka.common.requests.SaslAuthenticateRequest in project apache-kafka-on-k8s by banzaicloud.

the class SaslServerAuthenticator method handleSaslToken.

private void handleSaslToken(byte[] clientToken) throws IOException {
    if (!enableKafkaSaslAuthenticateHeaders) {
        byte[] response = saslServer.evaluateResponse(clientToken);
        if (response != null) {
            netOutBuffer = new NetworkSend(connectionId, ByteBuffer.wrap(response));
            flushNetOutBufferAndUpdateInterestOps();
        }
    } else {
        ByteBuffer requestBuffer = ByteBuffer.wrap(clientToken);
        RequestHeader header = RequestHeader.parse(requestBuffer);
        ApiKeys apiKey = header.apiKey();
        short version = header.apiVersion();
        RequestContext requestContext = new RequestContext(header, connectionId, clientAddress(), KafkaPrincipal.ANONYMOUS, listenerName, securityProtocol);
        RequestAndSize requestAndSize = requestContext.parseRequest(requestBuffer);
        if (apiKey != ApiKeys.SASL_AUTHENTICATE) {
            IllegalSaslStateException e = new IllegalSaslStateException("Unexpected Kafka request of type " + apiKey + " during SASL authentication.");
            sendKafkaResponse(requestContext, requestAndSize.request.getErrorResponse(e));
            throw e;
        }
        if (!apiKey.isVersionSupported(version)) {
            // This should not normally occur since clients typically check supported versions using ApiVersionsRequest
            throw new UnsupportedVersionException("Version " + version + " is not supported for apiKey " + apiKey);
        }
        SaslAuthenticateRequest saslAuthenticateRequest = (SaslAuthenticateRequest) requestAndSize.request;
        try {
            byte[] responseToken = saslServer.evaluateResponse(Utils.readBytes(saslAuthenticateRequest.saslAuthBytes()));
            // For versions with SASL_AUTHENTICATE header, send a response to SASL_AUTHENTICATE request even if token is empty.
            ByteBuffer responseBuf = responseToken == null ? EMPTY_BUFFER : ByteBuffer.wrap(responseToken);
            sendKafkaResponse(requestContext, new SaslAuthenticateResponse(Errors.NONE, null, responseBuf));
        } catch (SaslAuthenticationException | SaslException e) {
            String errorMessage = e instanceof SaslAuthenticationException ? e.getMessage() : "Authentication failed due to invalid credentials with SASL mechanism " + saslMechanism;
            sendKafkaResponse(requestContext, new SaslAuthenticateResponse(Errors.SASL_AUTHENTICATION_FAILED, errorMessage));
            throw e;
        }
    }
}
Also used : SaslAuthenticateResponse(org.apache.kafka.common.requests.SaslAuthenticateResponse) NetworkSend(org.apache.kafka.common.network.NetworkSend) IllegalSaslStateException(org.apache.kafka.common.errors.IllegalSaslStateException) SaslException(javax.security.sasl.SaslException) ByteBuffer(java.nio.ByteBuffer) ApiKeys(org.apache.kafka.common.protocol.ApiKeys) SaslAuthenticateRequest(org.apache.kafka.common.requests.SaslAuthenticateRequest) RequestAndSize(org.apache.kafka.common.requests.RequestAndSize) RequestHeader(org.apache.kafka.common.requests.RequestHeader) RequestContext(org.apache.kafka.common.requests.RequestContext) SaslAuthenticationException(org.apache.kafka.common.errors.SaslAuthenticationException) UnsupportedVersionException(org.apache.kafka.common.errors.UnsupportedVersionException)

Aggregations

ByteBuffer (java.nio.ByteBuffer)3 NetworkSend (org.apache.kafka.common.network.NetworkSend)3 SaslAuthenticateRequest (org.apache.kafka.common.requests.SaslAuthenticateRequest)3 SaslException (javax.security.sasl.SaslException)1 IllegalSaslStateException (org.apache.kafka.common.errors.IllegalSaslStateException)1 SaslAuthenticationException (org.apache.kafka.common.errors.SaslAuthenticationException)1 UnsupportedVersionException (org.apache.kafka.common.errors.UnsupportedVersionException)1 ApiKeys (org.apache.kafka.common.protocol.ApiKeys)1 RequestAndSize (org.apache.kafka.common.requests.RequestAndSize)1 RequestContext (org.apache.kafka.common.requests.RequestContext)1 RequestHeader (org.apache.kafka.common.requests.RequestHeader)1 SaslAuthenticateResponse (org.apache.kafka.common.requests.SaslAuthenticateResponse)1