Examples with SecurityProtocol org.apache.kafka.common.security.auth.SecurityProtocol used on opensource projects

Example 86 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.

the class SaslAuthenticatorTest method testTokenAuthenticationOverSaslScram.

@Test
public void testTokenAuthenticationOverSaslScram() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    TestJaasConfig jaasConfig = configureMechanisms("SCRAM-SHA-256", Arrays.asList("SCRAM-SHA-256"));
    // create jaas config for token auth
    Map<String, Object> options = new HashMap<>();
    String tokenId = "token1";
    String tokenHmac = "abcdefghijkl";
    // tokenId
    options.put("username", tokenId);
    // token hmac
    options.put("password", tokenHmac);
    // enable token authentication
    options.put(ScramLoginModule.TOKEN_AUTH_CONFIG, "true");
    jaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_CLIENT, ScramLoginModule.class.getName(), options);
    server = createEchoServer(securityProtocol);
    // Check invalid tokenId/tokenInfo in tokenCache
    createAndCheckClientConnectionFailure(securityProtocol, "0");
    server.verifyAuthenticationMetrics(0, 1);
    // Check valid token Info and invalid credentials
    KafkaPrincipal owner = SecurityUtils.parseKafkaPrincipal("User:Owner");
    KafkaPrincipal renewer = SecurityUtils.parseKafkaPrincipal("User:Renewer1");
    TokenInformation tokenInfo = new TokenInformation(tokenId, owner, Collections.singleton(renewer), System.currentTimeMillis(), System.currentTimeMillis(), System.currentTimeMillis());
    server.tokenCache().addToken(tokenId, tokenInfo);
    createAndCheckClientConnectionFailure(securityProtocol, "0");
    server.verifyAuthenticationMetrics(0, 2);
    // Check with valid token Info and credentials
    updateTokenCredentialCache(tokenId, tokenHmac);
    createAndCheckClientConnection(securityProtocol, "0");
    server.verifyAuthenticationMetrics(1, 2);
    server.verifyReauthenticationMetrics(0, 0);
}

Example 87 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.

the class SaslAuthenticatorTest method testUnknownUserSaslScram.

/**
 * Tests that SASL/SCRAM clients without valid username fail authentication.
 */
@Test
public void testUnknownUserSaslScram() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    TestJaasConfig jaasConfig = configureMechanisms("SCRAM-SHA-256", Arrays.asList("SCRAM-SHA-256"));
    Map<String, Object> options = new HashMap<>();
    options.put("username", "unknownUser");
    options.put("password", TestJaasConfig.PASSWORD);
    jaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_CLIENT, ScramLoginModule.class.getName(), options);
    String node = "0";
    server = createEchoServer(securityProtocol);
    updateScramCredentialCache(TestJaasConfig.USERNAME, TestJaasConfig.PASSWORD);
    createAndCheckClientAuthenticationFailure(securityProtocol, node, "SCRAM-SHA-256", null);
    server.verifyAuthenticationMetrics(0, 1);
    server.verifyReauthenticationMetrics(0, 0);
}

Example 88 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.

the class SaslAuthenticatorTest method testClientExceptionDoesNotContainSensitiveData.

/**
 * Verify that messages from SaslExceptions thrown in the server during authentication are not
 * propagated to the client since these may contain sensitive data.
 */
@Test
public void testClientExceptionDoesNotContainSensitiveData() throws Exception {
    InvalidScramServerCallbackHandler.reset();
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    TestJaasConfig jaasConfig = configureMechanisms("SCRAM-SHA-256", Collections.singletonList("SCRAM-SHA-256"));
    jaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_SERVER, PlainLoginModule.class.getName(), new HashMap<>());
    String callbackPrefix = ListenerName.forSecurityProtocol(securityProtocol).saslMechanismConfigPrefix("SCRAM-SHA-256");
    saslServerConfigs.put(callbackPrefix + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS, InvalidScramServerCallbackHandler.class.getName());
    server = createEchoServer(securityProtocol);
    try {
        InvalidScramServerCallbackHandler.sensitiveException = new IOException("Could not connect to password database locahost:8000");
        createAndCheckClientAuthenticationFailure(securityProtocol, "1", "SCRAM-SHA-256", null);
        InvalidScramServerCallbackHandler.sensitiveException = new SaslException("Password for existing user " + TestServerCallbackHandler.USERNAME + " is invalid");
        createAndCheckClientAuthenticationFailure(securityProtocol, "1", "SCRAM-SHA-256", null);
        InvalidScramServerCallbackHandler.reset();
        InvalidScramServerCallbackHandler.clientFriendlyException = new SaslAuthenticationException("Credential verification failed");
        createAndCheckClientAuthenticationFailure(securityProtocol, "1", "SCRAM-SHA-256", InvalidScramServerCallbackHandler.clientFriendlyException.getMessage());
    } finally {
        InvalidScramServerCallbackHandler.reset();
    }
}

Example 89 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.

the class SaslAuthenticatorTest method testDisallowedKafkaRequestsBeforeAuthentication.

/**
 * Tests that Kafka requests that are forbidden until successful authentication result
 * in authentication failure and do not cause any failures in the server.
 */
@Test
public void testDisallowedKafkaRequestsBeforeAuthentication() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    server = createEchoServer(securityProtocol);
    // Send metadata request before Kafka SASL handshake request
    String node1 = "invalid1";
    createClientConnection(SecurityProtocol.PLAINTEXT, node1);
    MetadataRequest metadataRequest1 = new MetadataRequest.Builder(Collections.singletonList("sometopic"), true).build();
    RequestHeader metadataRequestHeader1 = new RequestHeader(ApiKeys.METADATA, metadataRequest1.version(), "someclient", 1);
    selector.send(new NetworkSend(node1, metadataRequest1.toSend(metadataRequestHeader1)));
    NetworkTestUtils.waitForChannelClose(selector, node1, ChannelState.READY.state());
    selector.close();
    // Test good connection still works
    createAndCheckClientConnection(securityProtocol, "good1");
    // Send metadata request after Kafka SASL handshake request
    String node2 = "invalid2";
    createClientConnection(SecurityProtocol.PLAINTEXT, node2);
    sendHandshakeRequestReceiveResponse(node2, (short) 1);
    MetadataRequest metadataRequest2 = new MetadataRequest.Builder(Collections.singletonList("sometopic"), true).build();
    RequestHeader metadataRequestHeader2 = new RequestHeader(ApiKeys.METADATA, metadataRequest2.version(), "someclient", 2);
    selector.send(new NetworkSend(node2, metadataRequest2.toSend(metadataRequestHeader2)));
    NetworkTestUtils.waitForChannelClose(selector, node2, ChannelState.READY.state());
    selector.close();
    // Test good connection still works
    createAndCheckClientConnection(securityProtocol, "good2");
}

Example 90 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project kafka by apache.

the class SaslAuthenticatorTest method testRepeatedValidSaslPlainOverSsl.

/**
 * Tests good path SASL/PLAIN client and server channels using SSL transport layer.
 * Repeatedly tests successful re-authentication over several seconds.
 */
@Test
public void testRepeatedValidSaslPlainOverSsl() throws Exception {
    String node = "0";
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    /*
         * Make sure 85% of this value is at least 1 second otherwise it is possible for
         * the client to start re-authenticating but the server does not start due to
         * the 1-second minimum. If this happens the SASL HANDSHAKE request that was
         * injected to start re-authentication will be echoed back to the client instead
         * of the data that the client explicitly sent, and then the client will not
         * recognize that data and will throw an assertion error.
         */
    saslServerConfigs.put(BrokerSecurityConfigs.CONNECTIONS_MAX_REAUTH_MS, Double.valueOf(1.1 * 1000L / 0.85).longValue());
    server = createEchoServer(securityProtocol);
    createClientConnection(securityProtocol, node);
    checkClientConnection(node);
    server.verifyAuthenticationMetrics(1, 0);
    server.verifyReauthenticationMetrics(0, 0);
    double successfulReauthentications = 0;
    int desiredNumReauthentications = 5;
    long startMs = Time.SYSTEM.milliseconds();
    // stop after 15 seconds
    long timeoutMs = startMs + 1000 * 15;
    while (successfulReauthentications < desiredNumReauthentications && Time.SYSTEM.milliseconds() < timeoutMs) {
        checkClientConnection(node);
        successfulReauthentications = server.metricValue("successful-reauthentication-total");
    }
    server.verifyReauthenticationMetrics(desiredNumReauthentications, 0);
}