Search in sources :

Example 51 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class RequestResponseTest method createUpdateMetadataRequest.

private UpdateMetadataRequest createUpdateMetadataRequest(int version, String rack) {
    Map<TopicPartition, UpdateMetadataRequest.PartitionState> partitionStates = new HashMap<>();
    List<Integer> isr = asList(1, 2);
    List<Integer> replicas = asList(1, 2, 3, 4);
    List<Integer> offlineReplicas = asList();
    partitionStates.put(new TopicPartition("topic5", 105), new UpdateMetadataRequest.PartitionState(0, 2, 1, isr, 2, replicas, offlineReplicas));
    partitionStates.put(new TopicPartition("topic5", 1), new UpdateMetadataRequest.PartitionState(1, 1, 1, isr, 2, replicas, offlineReplicas));
    partitionStates.put(new TopicPartition("topic20", 1), new UpdateMetadataRequest.PartitionState(1, 0, 1, isr, 2, replicas, offlineReplicas));
    SecurityProtocol plaintext = SecurityProtocol.PLAINTEXT;
    List<UpdateMetadataRequest.EndPoint> endPoints1 = new ArrayList<>();
    endPoints1.add(new UpdateMetadataRequest.EndPoint("host1", 1223, plaintext, ListenerName.forSecurityProtocol(plaintext)));
    List<UpdateMetadataRequest.EndPoint> endPoints2 = new ArrayList<>();
    endPoints2.add(new UpdateMetadataRequest.EndPoint("host1", 1244, plaintext, ListenerName.forSecurityProtocol(plaintext)));
    if (version > 0) {
        SecurityProtocol ssl = SecurityProtocol.SSL;
        endPoints2.add(new UpdateMetadataRequest.EndPoint("host2", 1234, ssl, ListenerName.forSecurityProtocol(ssl)));
        endPoints2.add(new UpdateMetadataRequest.EndPoint("host2", 1334, ssl, new ListenerName("CLIENT")));
    }
    Set<UpdateMetadataRequest.Broker> liveBrokers = Utils.mkSet(new UpdateMetadataRequest.Broker(0, endPoints1, rack), new UpdateMetadataRequest.Broker(1, endPoints2, rack));
    return new UpdateMetadataRequest.Builder((short) version, 1, 10, partitionStates, liveBrokers).build();
}
Also used : HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) ArrayList(java.util.ArrayList) ListenerName(org.apache.kafka.common.network.ListenerName) TopicPartition(org.apache.kafka.common.TopicPartition)

Example 52 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testMultipleServerMechanisms.

/**
 * Tests that servers supporting multiple SASL mechanisms work with clients using
 * any of the enabled mechanisms.
 */
@Test
public void testMultipleServerMechanisms() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    configureMechanisms("DIGEST-MD5", Arrays.asList("DIGEST-MD5", "PLAIN", "SCRAM-SHA-256"));
    server = createEchoServer(securityProtocol);
    updateScramCredentialCache(TestJaasConfig.USERNAME, TestJaasConfig.PASSWORD);
    String node1 = "1";
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
    createAndCheckClientConnection(securityProtocol, node1);
    String node2 = "2";
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "DIGEST-MD5");
    createSelector(securityProtocol, saslClientConfigs);
    InetSocketAddress addr = new InetSocketAddress("127.0.0.1", server.port());
    selector.connect(node2, addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, node2, 100, 10);
    String node3 = "3";
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "SCRAM-SHA-256");
    createSelector(securityProtocol, saslClientConfigs);
    selector.connect(node3, new InetSocketAddress("127.0.0.1", server.port()), BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, node3, 100, 10);
}
Also used : InetSocketAddress(java.net.InetSocketAddress) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) Test(org.junit.Test)

Example 53 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testServerDynamicJaasConfiguration.

/**
 * Tests dynamic JAAS configuration property for SASL server. Invalid server credentials
 * are set in the static JVM-wide configuration instance to ensure that the dynamic
 * property override is used during authentication.
 */
@Test
public void testServerDynamicJaasConfiguration() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
    saslServerConfigs.put(BrokerSecurityConfigs.SASL_ENABLED_MECHANISMS_CONFIG, Arrays.asList("PLAIN"));
    Map<String, Object> serverOptions = new HashMap<>();
    serverOptions.put("user_user1", "user1-secret");
    serverOptions.put("user_user2", "user2-secret");
    saslServerConfigs.put("listener.name.sasl_ssl.plain." + SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", serverOptions));
    TestJaasConfig staticJaasConfig = new TestJaasConfig();
    staticJaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_SERVER, PlainLoginModule.class.getName(), Collections.<String, Object>emptyMap());
    staticJaasConfig.setClientOptions("PLAIN", "user1", "user1-secret");
    Configuration.setConfiguration(staticJaasConfig);
    server = createEchoServer(securityProtocol);
    // Check that 'user1' can connect with static Jaas config
    createAndCheckClientConnection(securityProtocol, "1");
    // Check that user 'user2' can also connect with a Jaas config override
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret"));
    createAndCheckClientConnection(securityProtocol, "2");
}
Also used : HashMap(java.util.HashMap) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) PlainLoginModule(org.apache.kafka.common.security.plain.PlainLoginModule) Test(org.junit.Test)

Example 54 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testInvalidApiVersionsRequestSequence.

/**
 * Tests that ApiVersionsRequest after Kafka SASL handshake request flow,
 * but prior to actual SASL authentication, results in authentication failure.
 * This is similar to {@link #testUnauthenticatedApiVersionsRequest(SecurityProtocol, short)}
 * where a non-SASL client is used to send requests that are processed by
 * {@link SaslServerAuthenticator} of the server prior to client authentication.
 */
@Test
public void testInvalidApiVersionsRequestSequence() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    server = createEchoServer(securityProtocol);
    // Send handshake request followed by ApiVersionsRequest
    String node1 = "invalid1";
    createClientConnection(SecurityProtocol.PLAINTEXT, node1);
    sendHandshakeRequestReceiveResponse(node1, (short) 1);
    ApiVersionsRequest request = createApiVersionsRequestV0();
    RequestHeader versionsHeader = new RequestHeader(ApiKeys.API_VERSIONS, request.version(), "someclient", 2);
    selector.send(request.toSend(node1, versionsHeader));
    NetworkTestUtils.waitForChannelClose(selector, node1, ChannelState.READY.state());
    selector.close();
    // Test good connection still works
    createAndCheckClientConnection(securityProtocol, "good1");
}
Also used : SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) RequestHeader(org.apache.kafka.common.requests.RequestHeader) ApiVersionsRequest(org.apache.kafka.common.requests.ApiVersionsRequest) Test(org.junit.Test)

Example 55 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testScramUsernameWithSpecialCharacters.

/**
 * Tests SASL/SCRAM with username containing characters that need
 * to be encoded.
 */
@Test
public void testScramUsernameWithSpecialCharacters() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    String username = "special user= test,scram";
    String password = username + "-password";
    TestJaasConfig jaasConfig = configureMechanisms("SCRAM-SHA-256", Arrays.asList("SCRAM-SHA-256"));
    Map<String, Object> options = new HashMap<>();
    options.put("username", username);
    options.put("password", password);
    jaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_CLIENT, ScramLoginModule.class.getName(), options);
    server = createEchoServer(securityProtocol);
    updateScramCredentialCache(username, password);
    createAndCheckClientConnection(securityProtocol, "0");
}
Also used : HashMap(java.util.HashMap) ScramLoginModule(org.apache.kafka.common.security.scram.ScramLoginModule) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) Test(org.junit.Test)

Aggregations

SecurityProtocol (org.apache.kafka.common.security.auth.SecurityProtocol)106 Test (org.junit.jupiter.api.Test)50 Test (org.junit.Test)29 HashMap (java.util.HashMap)22 InetSocketAddress (java.net.InetSocketAddress)14 NetworkSend (org.apache.kafka.common.network.NetworkSend)11 RequestHeader (org.apache.kafka.common.requests.RequestHeader)11 IOException (java.io.IOException)10 PlainLoginModule (org.apache.kafka.common.security.plain.PlainLoginModule)10 TestSecurityConfig (org.apache.kafka.common.security.TestSecurityConfig)9 ScramLoginModule (org.apache.kafka.common.security.scram.ScramLoginModule)9 File (java.io.File)8 ByteBuffer (java.nio.ByteBuffer)8 Properties (java.util.Properties)8 ApiVersionsRequest (org.apache.kafka.common.requests.ApiVersionsRequest)7 ApiVersionsResponse (org.apache.kafka.common.requests.ApiVersionsResponse)7 LogContext (org.apache.kafka.common.utils.LogContext)6 Random (java.util.Random)5 Password (org.apache.kafka.common.config.types.Password)5 ListenerName (org.apache.kafka.common.network.ListenerName)5