Example 1 with AuthenticateCallbackHandler
use of org.apache.kafka.common.security.auth.AuthenticateCallbackHandler in project kafka by apache.
the class SaslChannelBuilder method createServerCallbackHandlers.
private void createServerCallbackHandlers(Map<String, ?> configs) {
for (String mechanism : jaasContexts.keySet()) {
AuthenticateCallbackHandler callbackHandler;
String prefix = ListenerName.saslMechanismPrefix(mechanism);
@SuppressWarnings("unchecked") Class<? extends AuthenticateCallbackHandler> clazz = (Class<? extends AuthenticateCallbackHandler>) configs.get(prefix + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS);
if (clazz != null)
callbackHandler = Utils.newInstance(clazz);
else if (mechanism.equals(PlainSaslServer.PLAIN_MECHANISM))
callbackHandler = new PlainServerCallbackHandler();
else if (ScramMechanism.isScram(mechanism))
callbackHandler = new ScramServerCallbackHandler(credentialCache.cache(mechanism, ScramCredential.class), tokenCache);
else if (mechanism.equals(OAuthBearerLoginModule.OAUTHBEARER_MECHANISM))
callbackHandler = new OAuthBearerUnsecuredValidatorCallbackHandler();
else
callbackHandler = new SaslServerCallbackHandler();
saslCallbackHandlers.put(mechanism, callbackHandler);
}
}
Also used :
OAuthBearerUnsecuredValidatorCallbackHandler(org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredValidatorCallbackHandler)
ScramCredential(org.apache.kafka.common.security.scram.ScramCredential)
ScramServerCallbackHandler(org.apache.kafka.common.security.scram.internals.ScramServerCallbackHandler)
PlainServerCallbackHandler(org.apache.kafka.common.security.plain.internals.PlainServerCallbackHandler)
SaslServerCallbackHandler(org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
AuthenticateCallbackHandler(org.apache.kafka.common.security.auth.AuthenticateCallbackHandler)
Example 2 with AuthenticateCallbackHandler
use of org.apache.kafka.common.security.auth.AuthenticateCallbackHandler in project kafka by apache.
the class SaslServerAuthenticatorTest method setupAuthenticator.
private SaslServerAuthenticator setupAuthenticator(Map<String, ?> configs, TransportLayer transportLayer, String mechanism, ChannelMetadataRegistry metadataRegistry) {
TestJaasConfig jaasConfig = new TestJaasConfig();
jaasConfig.addEntry("jaasContext", PlainLoginModule.class.getName(), new HashMap<String, Object>());
Map<String, Subject> subjects = Collections.singletonMap(mechanism, new Subject());
Map<String, AuthenticateCallbackHandler> callbackHandlers = Collections.singletonMap(mechanism, new SaslServerCallbackHandler());
ApiVersionsResponse apiVersionsResponse = ApiVersionsResponse.defaultApiVersionsResponse(ApiMessageType.ListenerType.ZK_BROKER);
return new SaslServerAuthenticator(configs, callbackHandlers, "node", subjects, null, new ListenerName("ssl"), SecurityProtocol.SASL_SSL, transportLayer, Collections.emptyMap(), metadataRegistry, Time.SYSTEM, () -> apiVersionsResponse);
}
Also used :
ApiVersionsResponse(org.apache.kafka.common.requests.ApiVersionsResponse)
PlainLoginModule(org.apache.kafka.common.security.plain.PlainLoginModule)
AuthenticateCallbackHandler(org.apache.kafka.common.security.auth.AuthenticateCallbackHandler)
ListenerName(org.apache.kafka.common.network.ListenerName)
Subject(javax.security.auth.Subject)
Example 3 with AuthenticateCallbackHandler
use of org.apache.kafka.common.security.auth.AuthenticateCallbackHandler in project kafka by apache.
the class SaslServerAuthenticator method createSaslServer.
private void createSaslServer(String mechanism) throws IOException {
this.saslMechanism = mechanism;
Subject subject = subjects.get(mechanism);
final AuthenticateCallbackHandler callbackHandler = callbackHandlers.get(mechanism);
if (mechanism.equals(SaslConfigs.GSSAPI_MECHANISM)) {
saslServer = createSaslKerberosServer(callbackHandler, configs, subject);
} else {
try {
saslServer = Subject.doAs(subject, (PrivilegedExceptionAction<SaslServer>) () -> Sasl.createSaslServer(saslMechanism, "kafka", serverAddress().getHostName(), configs, callbackHandler));
if (saslServer == null) {
throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication with server mechanism " + saslMechanism);
}
} catch (PrivilegedActionException e) {
throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication with server mechanism " + saslMechanism, e.getCause());
}
}
}
Also used :
PrivilegedActionException(java.security.PrivilegedActionException)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
AuthenticateCallbackHandler(org.apache.kafka.common.security.auth.AuthenticateCallbackHandler)
SaslException(javax.security.sasl.SaslException)
Subject(javax.security.auth.Subject)
Example 4 with AuthenticateCallbackHandler
use of org.apache.kafka.common.security.auth.AuthenticateCallbackHandler in project kafka by apache.
the class SaslAuthenticatorTest method createClientConnectionWithoutSaslAuthenticateHeader.
private void createClientConnectionWithoutSaslAuthenticateHeader(final SecurityProtocol securityProtocol, final String saslMechanism, String node) throws Exception {
final ListenerName listenerName = ListenerName.forSecurityProtocol(securityProtocol);
final Map<String, ?> configs = Collections.emptyMap();
final JaasContext jaasContext = JaasContext.loadClientContext(configs);
final Map<String, JaasContext> jaasContexts = Collections.singletonMap(saslMechanism, jaasContext);
SaslChannelBuilder clientChannelBuilder = new SaslChannelBuilder(Mode.CLIENT, jaasContexts, securityProtocol, listenerName, false, saslMechanism, true, null, null, null, time, new LogContext(), null) {
@Override
protected SaslClientAuthenticator buildClientAuthenticator(Map<String, ?> configs, AuthenticateCallbackHandler callbackHandler, String id, String serverHost, String servicePrincipal, TransportLayer transportLayer, Subject subject) {
return new SaslClientAuthenticator(configs, callbackHandler, id, subject, servicePrincipal, serverHost, saslMechanism, true, transportLayer, time, new LogContext()) {
@Override
protected SaslHandshakeRequest createSaslHandshakeRequest(short version) {
return buildSaslHandshakeRequest(saslMechanism, (short) 0);
}
@Override
protected void setSaslAuthenticateAndHandshakeVersions(ApiVersionsResponse apiVersionsResponse) {
// Don't set version so that headers are disabled
}
};
}
};
clientChannelBuilder.configure(saslClientConfigs);
this.selector = NetworkTestUtils.createSelector(clientChannelBuilder, time);
InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
}
Also used :
ApiVersionsResponse(org.apache.kafka.common.requests.ApiVersionsResponse)
InetSocketAddress(java.net.InetSocketAddress)
LogContext(org.apache.kafka.common.utils.LogContext)
ListenerName(org.apache.kafka.common.network.ListenerName)
AuthenticateCallbackHandler(org.apache.kafka.common.security.auth.AuthenticateCallbackHandler)
Subject(javax.security.auth.Subject)
TransportLayer(org.apache.kafka.common.network.TransportLayer)
JaasContext(org.apache.kafka.common.security.JaasContext)
SaslChannelBuilder(org.apache.kafka.common.network.SaslChannelBuilder)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 5 with AuthenticateCallbackHandler
use of org.apache.kafka.common.security.auth.AuthenticateCallbackHandler in project kafka by apache.
the class SaslChannelBuilder method configure.
@SuppressWarnings("unchecked")
@Override
public void configure(Map<String, ?> configs) throws KafkaException {
try {
this.configs = configs;
if (mode == Mode.SERVER) {
createServerCallbackHandlers(configs);
createConnectionsMaxReauthMsMap(configs);
} else
createClientCallbackHandler(configs);
for (Map.Entry<String, AuthenticateCallbackHandler> entry : saslCallbackHandlers.entrySet()) {
String mechanism = entry.getKey();
entry.getValue().configure(configs, mechanism, jaasContexts.get(mechanism).configurationEntries());
}
Class<? extends Login> defaultLoginClass = defaultLoginClass();
if (mode == Mode.SERVER && jaasContexts.containsKey(SaslConfigs.GSSAPI_MECHANISM)) {
String defaultRealm;
try {
defaultRealm = defaultKerberosRealm();
} catch (Exception ke) {
defaultRealm = "";
}
List<String> principalToLocalRules = (List<String>) configs.get(BrokerSecurityConfigs.SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES_CONFIG);
if (principalToLocalRules != null)
kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(defaultRealm, principalToLocalRules);
}
for (Map.Entry<String, JaasContext> entry : jaasContexts.entrySet()) {
String mechanism = entry.getKey();
// With static JAAS configuration, use KerberosLogin if Kerberos is enabled. With dynamic JAAS configuration,
// use KerberosLogin only for the LoginContext corresponding to GSSAPI
LoginManager loginManager = LoginManager.acquireLoginManager(entry.getValue(), mechanism, defaultLoginClass, configs);
loginManagers.put(mechanism, loginManager);
Subject subject = loginManager.subject();
subjects.put(mechanism, subject);
if (mode == Mode.SERVER && mechanism.equals(SaslConfigs.GSSAPI_MECHANISM))
maybeAddNativeGssapiCredentials(subject);
}
if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
// Disable SSL client authentication as we are using SASL authentication
this.sslFactory = new SslFactory(mode, sslClientAuthOverride, isInterBrokerListener);
this.sslFactory.configure(configs);
}
} catch (Throwable e) {
close();
throw new KafkaException(e);
}
}
Also used :
LoginManager(org.apache.kafka.common.security.authenticator.LoginManager)
AuthenticateCallbackHandler(org.apache.kafka.common.security.auth.AuthenticateCallbackHandler)
KafkaException(org.apache.kafka.common.KafkaException)
GSSException(org.ietf.jgss.GSSException)
IOException(java.io.IOException)
Subject(javax.security.auth.Subject)
SslFactory(org.apache.kafka.common.security.ssl.SslFactory)
JaasContext(org.apache.kafka.common.security.JaasContext)
List(java.util.List)
KafkaException(org.apache.kafka.common.KafkaException)
Map(java.util.Map)
HashMap(java.util.HashMap)
Aggregations
AuthenticateCallbackHandler (org.apache.kafka.common.security.auth.AuthenticateCallbackHandler)6
Subject (javax.security.auth.Subject)4
HashMap (java.util.HashMap)2
Map (java.util.Map)2
ListenerName (org.apache.kafka.common.network.ListenerName)2
ApiVersionsResponse (org.apache.kafka.common.requests.ApiVersionsResponse)2
JaasContext (org.apache.kafka.common.security.JaasContext)2
IOException (java.io.IOException)1
InetSocketAddress (java.net.InetSocketAddress)1
PrivilegedActionException (java.security.PrivilegedActionException)1
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)1
List (java.util.List)1
SaslException (javax.security.sasl.SaslException)1
KafkaException (org.apache.kafka.common.KafkaException)1
SaslChannelBuilder (org.apache.kafka.common.network.SaslChannelBuilder)1
TransportLayer (org.apache.kafka.common.network.TransportLayer)1
LoginManager (org.apache.kafka.common.security.authenticator.LoginManager)1
SaslServerCallbackHandler (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)1
OAuthBearerUnsecuredValidatorCallbackHandler (org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredValidatorCallbackHandler)1
PlainLoginModule (org.apache.kafka.common.security.plain.PlainLoginModule)1
