Search in sources :

Example 21 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testMultipleServerMechanisms.

/**
 * Tests that servers supporting multiple SASL mechanisms work with clients using
 * any of the enabled mechanisms.
 */
@Test
public void testMultipleServerMechanisms() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    configureMechanisms("DIGEST-MD5", Arrays.asList("DIGEST-MD5", "PLAIN", "SCRAM-SHA-256"));
    server = createEchoServer(securityProtocol);
    updateScramCredentialCache(TestJaasConfig.USERNAME, TestJaasConfig.PASSWORD);
    String node1 = "1";
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
    createAndCheckClientConnection(securityProtocol, node1);
    String node2 = "2";
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "DIGEST-MD5");
    createSelector(securityProtocol, saslClientConfigs);
    InetSocketAddress addr = new InetSocketAddress("127.0.0.1", server.port());
    selector.connect(node2, addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, node2, 100, 10);
    String node3 = "3";
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "SCRAM-SHA-256");
    createSelector(securityProtocol, saslClientConfigs);
    selector.connect(node3, new InetSocketAddress("127.0.0.1", server.port()), BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, node3, 100, 10);
}
Also used : InetSocketAddress(java.net.InetSocketAddress) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) Test(org.junit.Test)

Example 22 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testServerDynamicJaasConfiguration.

/**
 * Tests dynamic JAAS configuration property for SASL server. Invalid server credentials
 * are set in the static JVM-wide configuration instance to ensure that the dynamic
 * property override is used during authentication.
 */
@Test
public void testServerDynamicJaasConfiguration() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    saslClientConfigs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
    saslServerConfigs.put(BrokerSecurityConfigs.SASL_ENABLED_MECHANISMS_CONFIG, Arrays.asList("PLAIN"));
    Map<String, Object> serverOptions = new HashMap<>();
    serverOptions.put("user_user1", "user1-secret");
    serverOptions.put("user_user2", "user2-secret");
    saslServerConfigs.put("listener.name.sasl_ssl.plain." + SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", serverOptions));
    TestJaasConfig staticJaasConfig = new TestJaasConfig();
    staticJaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_SERVER, PlainLoginModule.class.getName(), Collections.<String, Object>emptyMap());
    staticJaasConfig.setClientOptions("PLAIN", "user1", "user1-secret");
    Configuration.setConfiguration(staticJaasConfig);
    server = createEchoServer(securityProtocol);
    // Check that 'user1' can connect with static Jaas config
    createAndCheckClientConnection(securityProtocol, "1");
    // Check that user 'user2' can also connect with a Jaas config override
    saslClientConfigs.put(SaslConfigs.SASL_JAAS_CONFIG, TestJaasConfig.jaasConfigProperty("PLAIN", "user2", "user2-secret"));
    createAndCheckClientConnection(securityProtocol, "2");
}
Also used : HashMap(java.util.HashMap) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) PlainLoginModule(org.apache.kafka.common.security.plain.PlainLoginModule) Test(org.junit.Test)

Example 23 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testInvalidApiVersionsRequestSequence.

/**
 * Tests that ApiVersionsRequest after Kafka SASL handshake request flow,
 * but prior to actual SASL authentication, results in authentication failure.
 * This is similar to {@link #testUnauthenticatedApiVersionsRequest(SecurityProtocol, short)}
 * where a non-SASL client is used to send requests that are processed by
 * {@link SaslServerAuthenticator} of the server prior to client authentication.
 */
@Test
public void testInvalidApiVersionsRequestSequence() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    server = createEchoServer(securityProtocol);
    // Send handshake request followed by ApiVersionsRequest
    String node1 = "invalid1";
    createClientConnection(SecurityProtocol.PLAINTEXT, node1);
    sendHandshakeRequestReceiveResponse(node1, (short) 1);
    ApiVersionsRequest request = createApiVersionsRequestV0();
    RequestHeader versionsHeader = new RequestHeader(ApiKeys.API_VERSIONS, request.version(), "someclient", 2);
    selector.send(request.toSend(node1, versionsHeader));
    NetworkTestUtils.waitForChannelClose(selector, node1, ChannelState.READY.state());
    selector.close();
    // Test good connection still works
    createAndCheckClientConnection(securityProtocol, "good1");
}
Also used : SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) RequestHeader(org.apache.kafka.common.requests.RequestHeader) ApiVersionsRequest(org.apache.kafka.common.requests.ApiVersionsRequest) Test(org.junit.Test)

Example 24 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testScramUsernameWithSpecialCharacters.

/**
 * Tests SASL/SCRAM with username containing characters that need
 * to be encoded.
 */
@Test
public void testScramUsernameWithSpecialCharacters() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
    String username = "special user= test,scram";
    String password = username + "-password";
    TestJaasConfig jaasConfig = configureMechanisms("SCRAM-SHA-256", Arrays.asList("SCRAM-SHA-256"));
    Map<String, Object> options = new HashMap<>();
    options.put("username", username);
    options.put("password", password);
    jaasConfig.createOrUpdateEntry(TestJaasConfig.LOGIN_CONTEXT_CLIENT, ScramLoginModule.class.getName(), options);
    server = createEchoServer(securityProtocol);
    updateScramCredentialCache(username, password);
    createAndCheckClientConnection(securityProtocol, "0");
}
Also used : HashMap(java.util.HashMap) ScramLoginModule(org.apache.kafka.common.security.scram.ScramLoginModule) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) Test(org.junit.Test)

Example 25 with SecurityProtocol

use of org.apache.kafka.common.security.auth.SecurityProtocol in project apache-kafka-on-k8s by banzaicloud.

the class SaslAuthenticatorTest method testDisallowedKafkaRequestsBeforeAuthentication.

/**
 * Tests that Kafka requests that are forbidden until successful authentication result
 * in authentication failure and do not cause any failures in the server.
 */
@Test
public void testDisallowedKafkaRequestsBeforeAuthentication() throws Exception {
    SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
    configureMechanisms("PLAIN", Arrays.asList("PLAIN"));
    server = createEchoServer(securityProtocol);
    // Send metadata request before Kafka SASL handshake request
    String node1 = "invalid1";
    createClientConnection(SecurityProtocol.PLAINTEXT, node1);
    MetadataRequest metadataRequest1 = new MetadataRequest.Builder(Collections.singletonList("sometopic"), true).build();
    RequestHeader metadataRequestHeader1 = new RequestHeader(ApiKeys.METADATA, metadataRequest1.version(), "someclient", 1);
    selector.send(metadataRequest1.toSend(node1, metadataRequestHeader1));
    NetworkTestUtils.waitForChannelClose(selector, node1, ChannelState.READY.state());
    selector.close();
    // Test good connection still works
    createAndCheckClientConnection(securityProtocol, "good1");
    // Send metadata request after Kafka SASL handshake request
    String node2 = "invalid2";
    createClientConnection(SecurityProtocol.PLAINTEXT, node2);
    sendHandshakeRequestReceiveResponse(node2, (short) 1);
    MetadataRequest metadataRequest2 = new MetadataRequest.Builder(Collections.singletonList("sometopic"), true).build();
    RequestHeader metadataRequestHeader2 = new RequestHeader(ApiKeys.METADATA, metadataRequest2.version(), "someclient", 2);
    selector.send(metadataRequest2.toSend(node2, metadataRequestHeader2));
    NetworkTestUtils.waitForChannelClose(selector, node2, ChannelState.READY.state());
    selector.close();
    // Test good connection still works
    createAndCheckClientConnection(securityProtocol, "good2");
}
Also used : MetadataRequest(org.apache.kafka.common.requests.MetadataRequest) SecurityProtocol(org.apache.kafka.common.security.auth.SecurityProtocol) RequestHeader(org.apache.kafka.common.requests.RequestHeader) Test(org.junit.Test)

Aggregations

SecurityProtocol (org.apache.kafka.common.security.auth.SecurityProtocol)33 Test (org.junit.Test)29 HashMap (java.util.HashMap)8 InetSocketAddress (java.net.InetSocketAddress)5 RequestHeader (org.apache.kafka.common.requests.RequestHeader)4 ScramLoginModule (org.apache.kafka.common.security.scram.ScramLoginModule)4 PlainLoginModule (org.apache.kafka.common.security.plain.PlainLoginModule)3 IOException (java.io.IOException)2 ByteBuffer (java.nio.ByteBuffer)2 KafkaException (org.apache.kafka.common.KafkaException)2 ListenerName (org.apache.kafka.common.network.ListenerName)2 NetworkSend (org.apache.kafka.common.network.NetworkSend)2 ApiVersionsRequest (org.apache.kafka.common.requests.ApiVersionsRequest)2 ApiVersionsResponse (org.apache.kafka.common.requests.ApiVersionsResponse)2 TestSecurityConfig (org.apache.kafka.common.security.TestSecurityConfig)2 SelectionKey (java.nio.channels.SelectionKey)1 ArrayList (java.util.ArrayList)1 LinkedHashMap (java.util.LinkedHashMap)1 Random (java.util.Random)1 TopicPartition (org.apache.kafka.common.TopicPartition)1