use of org.apache.kafka.common.security.JaasContext in project apache-kafka-on-k8s by banzaicloud.
the class PlainSaslServerTest method setUp.
@Before
public void setUp() throws Exception {
TestJaasConfig jaasConfig = new TestJaasConfig();
Map<String, Object> options = new HashMap<>();
options.put("user_" + USER_A, PASSWORD_A);
options.put("user_" + USER_B, PASSWORD_B);
jaasConfig.addEntry("jaasContext", PlainLoginModule.class.getName(), options);
JaasContext jaasContext = new JaasContext("jaasContext", JaasContext.Type.SERVER, jaasConfig, null);
saslServer = new PlainSaslServer(jaasContext);
}
use of org.apache.kafka.common.security.JaasContext in project apache-kafka-on-k8s by banzaicloud.
the class SaslChannelBuilderTest method createChannelBuilder.
private SaslChannelBuilder createChannelBuilder(SecurityProtocol securityProtocol) {
TestJaasConfig jaasConfig = new TestJaasConfig();
jaasConfig.addEntry("jaasContext", PlainLoginModule.class.getName(), new HashMap<String, Object>());
JaasContext jaasContext = new JaasContext("jaasContext", JaasContext.Type.SERVER, jaasConfig, null);
Map<String, JaasContext> jaasContexts = Collections.singletonMap("PLAIN", jaasContext);
return new SaslChannelBuilder(Mode.CLIENT, jaasContexts, securityProtocol, new ListenerName("PLAIN"), false, "PLAIN", true, null, null);
}
use of org.apache.kafka.common.security.JaasContext in project apache-kafka-on-k8s by banzaicloud.
the class SaslChannelBuilder method configure.
@Override
public void configure(Map<String, ?> configs) throws KafkaException {
try {
this.configs = configs;
boolean hasKerberos = jaasContexts.containsKey(SaslConfigs.GSSAPI_MECHANISM);
if (hasKerberos) {
String defaultRealm;
try {
defaultRealm = defaultKerberosRealm();
} catch (Exception ke) {
defaultRealm = "";
}
@SuppressWarnings("unchecked") List<String> principalToLocalRules = (List<String>) configs.get(BrokerSecurityConfigs.SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES_CONFIG);
if (principalToLocalRules != null)
kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(defaultRealm, principalToLocalRules);
}
for (Map.Entry<String, JaasContext> entry : jaasContexts.entrySet()) {
String mechanism = entry.getKey();
// With static JAAS configuration, use KerberosLogin if Kerberos is enabled. With dynamic JAAS configuration,
// use KerberosLogin only for the LoginContext corresponding to GSSAPI
LoginManager loginManager = LoginManager.acquireLoginManager(entry.getValue(), mechanism, hasKerberos, configs);
loginManagers.put(mechanism, loginManager);
subjects.put(mechanism, loginManager.subject());
}
if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
// Disable SSL client authentication as we are using SASL authentication
this.sslFactory = new SslFactory(mode, "none", isInterBrokerListener);
this.sslFactory.configure(configs);
}
} catch (Exception e) {
close();
throw new KafkaException(e);
}
}
use of org.apache.kafka.common.security.JaasContext in project apache-kafka-on-k8s by banzaicloud.
the class ChannelBuilders method create.
private static ChannelBuilder create(SecurityProtocol securityProtocol, Mode mode, JaasContext.Type contextType, AbstractConfig config, ListenerName listenerName, boolean isInterBrokerListener, String clientSaslMechanism, boolean saslHandshakeRequestEnable, CredentialCache credentialCache, DelegationTokenCache tokenCache) {
Map<String, ?> configs;
if (listenerName == null)
configs = config.values();
else
configs = config.valuesWithPrefixOverride(listenerName.configPrefix());
ChannelBuilder channelBuilder;
switch(securityProtocol) {
case SSL:
requireNonNullMode(mode, securityProtocol);
channelBuilder = new SslChannelBuilder(mode, listenerName, isInterBrokerListener);
break;
case SASL_SSL:
case SASL_PLAINTEXT:
requireNonNullMode(mode, securityProtocol);
Map<String, JaasContext> jaasContexts;
if (mode == Mode.SERVER) {
List<String> enabledMechanisms = (List<String>) configs.get(BrokerSecurityConfigs.SASL_ENABLED_MECHANISMS_CONFIG);
jaasContexts = new HashMap<>(enabledMechanisms.size());
for (String mechanism : enabledMechanisms) jaasContexts.put(mechanism, JaasContext.loadServerContext(listenerName, mechanism, configs));
} else {
// Use server context for inter-broker client connections and client context for other clients
JaasContext jaasContext = contextType == JaasContext.Type.CLIENT ? JaasContext.loadClientContext(configs) : JaasContext.loadServerContext(listenerName, clientSaslMechanism, configs);
jaasContexts = Collections.singletonMap(clientSaslMechanism, jaasContext);
}
channelBuilder = new SaslChannelBuilder(mode, jaasContexts, securityProtocol, listenerName, isInterBrokerListener, clientSaslMechanism, saslHandshakeRequestEnable, credentialCache, tokenCache);
break;
case PLAINTEXT:
channelBuilder = new PlaintextChannelBuilder();
break;
default:
throw new IllegalArgumentException("Unexpected securityProtocol " + securityProtocol);
}
channelBuilder.configure(configs);
return channelBuilder;
}
use of org.apache.kafka.common.security.JaasContext in project kafka by apache.
the class LoginManagerTest method testServerLoginManager.
@Test
public void testServerLoginManager() throws Exception {
Map<String, Object> configs = new HashMap<>();
configs.put("plain.sasl.jaas.config", dynamicPlainContext);
configs.put("digest-md5.sasl.jaas.config", dynamicDigestContext);
ListenerName listenerName = new ListenerName("listener1");
JaasContext plainJaasContext = JaasContext.loadServerContext(listenerName, "PLAIN", configs);
JaasContext digestJaasContext = JaasContext.loadServerContext(listenerName, "DIGEST-MD5", configs);
JaasContext scramJaasContext = JaasContext.loadServerContext(listenerName, "SCRAM-SHA-256", configs);
LoginManager dynamicPlainLogin = LoginManager.acquireLoginManager(plainJaasContext, "PLAIN", DefaultLogin.class, configs);
assertEquals(dynamicPlainContext, dynamicPlainLogin.cacheKey());
LoginManager dynamicDigestLogin = LoginManager.acquireLoginManager(digestJaasContext, "DIGEST-MD5", DefaultLogin.class, configs);
assertNotSame(dynamicPlainLogin, dynamicDigestLogin);
assertEquals(dynamicDigestContext, dynamicDigestLogin.cacheKey());
LoginManager staticScramLogin = LoginManager.acquireLoginManager(scramJaasContext, "SCRAM-SHA-256", DefaultLogin.class, configs);
assertNotSame(dynamicPlainLogin, staticScramLogin);
assertEquals("KafkaServer", staticScramLogin.cacheKey());
assertSame(dynamicPlainLogin, LoginManager.acquireLoginManager(plainJaasContext, "PLAIN", DefaultLogin.class, configs));
assertSame(dynamicDigestLogin, LoginManager.acquireLoginManager(digestJaasContext, "DIGEST-MD5", DefaultLogin.class, configs));
assertSame(staticScramLogin, LoginManager.acquireLoginManager(scramJaasContext, "SCRAM-SHA-256", DefaultLogin.class, configs));
verifyLoginManagerRelease(dynamicPlainLogin, 2, plainJaasContext, configs);
verifyLoginManagerRelease(dynamicDigestLogin, 2, digestJaasContext, configs);
verifyLoginManagerRelease(staticScramLogin, 2, scramJaasContext, configs);
}
Aggregations