Examples with SecurityProtocol org.apache.kafka.common.security.auth.SecurityProtocol used on opensource projects

Example 6 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testMissingUsernameSaslPlain.

/**
 * Tests that SASL/PLAIN clients without valid username fail authentication.
 */
@Test
public void testMissingUsernameSaslPlain() throws Exception {
    String node = "0";
    TestJaasConfig jaasConfig = configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    jaasConfig.setClientOptions("PLAIN", null, "mypassword");
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    server = createEchoServer(securityProtocol);
    createSelector(securityProtocol, saslClientConfigs);
    InetSocketAddress addr = new InetSocketAddress("127.0.0.1", server.port());
    try {
        selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
        fail("SASL/PLAIN channel created without username");
    } catch (IOException e) {
        // Expected exception
        assertTrue("Channels not closed", selector.channels().isEmpty());
        for (SelectionKey key : selector.keys()) assertFalse("Key not cancelled", key.isValid());
    }
}

Example 7 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testClientDynamicJaasConfiguration.

/**
 * Tests dynamic JAAS configuration property for SASL clients. Invalid client credentials
 * are set in the static JVM-wide configuration instance to ensure that the dynamic
 * property override is used during authentication.
 */
@Test
public void testClientDynamicJaasConfiguration() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
    saslServerConfigs.put(BrokerSecurityConfigs.SASL_ENABLED_MECHANISMS_CONFIG, Arrays.asList("PLAIN"));
    Map<String, Object> serverOptions = new HashMap<>();
    serverOptions.put("user_user1", "user1-secret");
    serverOptions.put("user_user2", "user2-secret");
    TestJaasConfig staticJaasConfig = new TestJaasConfig();
    staticJaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_SERVER, PlainLoginModule.class.getName(), serverOptions);
    staticJaasConfig.setClientOptions("PLAIN", "user1", "invalidpassword");
    Configuration.setConfiguration(staticJaasConfig);
    server = createEchoServer(securityProtocol);
    // Check that client using static Jaas config does not connect since password is invalid
    createAndCheckClientConnectionFailure(securityProtocol, "1");
    // Check that 'user1' can connect with a Jaas config property override
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user1-secret"));
    createAndCheckClientConnection(securityProtocol, "2");
    // Check that invalid password specified as Jaas config property results in connection failure
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user2-secret"));
    createAndCheckClientConnectionFailure(securityProtocol, "3");
    // Check that another user 'user2' can also connect with a Jaas config override without any changes to static configuration
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret"));
    createAndCheckClientConnection(securityProtocol, "4");
    // Check that clients specifying multiple login modules fail even if the credentials are valid
    String module1 = TestJaasConfig.jaasConfigProperty("PLAIN", "user1", "user1-secret").value();
    String module2 = TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret").value();
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, new Password(module1 + " " + module2));
    try {
        createClientConnection(securityProtocol, "1");
        fail("Connection created with multiple login modules in sasl.jaas.config");
    } catch (IllegalArgumentException e) {
    // Expected
    }
}

Example 8 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testUserCredentialsUnavailableForScramMechanism.

/**
 * Tests that SASL/SCRAM clients fail authentication if credentials are not available for
 * the specific SCRAM mechanism.
 */
@Test
public void testUserCredentialsUnavailableForScramMechanism() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    configureMechanisms("SCRAM-SHA-256", new ArrayList<>(ScramMechanism.mechanismNames()));
    server = createEchoServer(securityProtocol);
    updateScramCredentialCache(TestJaasConfig.USERNAME, TestJaasConfig.PASSWORD);
    server.credentialCache().cache(ScramMechanism.SCRAM_SHA_256.mechanismName(), ScramCredential.class).remove(TestJaasConfig.USERNAME);
    String node = "1";
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "SCRAM-SHA-256");
    createAndCheckClientAuthenticationFailure(securityProtocol, node, "SCRAM-SHA-256", null);
    server.verifyAuthenticationMetrics(0, 1);
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "SCRAM-SHA-512");
    createAndCheckClientConnection(securityProtocol, "2");
    server.verifyAuthenticationMetrics(1, 1);
}

Example 9 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testInvalidSaslPacket.

/**
 * Tests that any invalid data during Kafka SASL handshake request flow
 * or the actual SASL authentication flow result in authentication failure
 * and do not cause any failures in the server.
 */
@Test
public void testInvalidSaslPacket() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    server = createEchoServer(securityProtocol);
    // Send invalid SASL packet after valid handshake request
    String node1 = "invalid1";
    createClientConnection(SecurityProtocol.PLAINTEXT, node1);
    sendHandshakeRequestReceiveResponse(node1, (short) 1);
    Random random = new Random();
    byte[] bytes = new byte[1024];
    random.nextBytes(bytes);
    selector.send(new NetworkSend(node1, ByteBuffer.wrap(bytes)));
    NetworkTestUtils.waitForChannelClose(selector, node1, ChannelState.READY.state());
    selector.close();
    // Test good connection still works
    createAndCheckClientConnection(securityProtocol, "good1");
    // Send invalid SASL packet before handshake request
    String node2 = "invalid2";
    createClientConnection(SecurityProtocol.PLAINTEXT, node2);
    random.nextBytes(bytes);
    selector.send(new NetworkSend(node2, ByteBuffer.wrap(bytes)));
    NetworkTestUtils.waitForChannelClose(selector, node2, ChannelState.READY.state());
    selector.close();
    // Test good connection still works
    createAndCheckClientConnection(securityProtocol, "good2");
}

Example 10 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testDisabledMechanism.

/**
 * Tests that mechanisms with default implementation in Kafka may be disabled in
 * the Kafka server by removing from the enabled mechanism list.
 */
@Test
public void testDisabledMechanism() throws Exception {
    String node = "0";
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    configureMechanisms("PLAIN", Arrays.asList("DIGEST-MD5"));
    server = createEchoServer(securityProtocol);
    createAndCheckClientConnectionFailure(securityProtocol, node);
    server.verifyAuthenticationMetrics(0, 1);
}