use of org.apache.kafka.common.security.authenticator.LoginManager in project apache-kafka-on-k8s by banzaicloud.
the class SaslChannelBuilder method configure.
@Override
public void configure(Map<String, ?> configs) throws KafkaException {
try {
this.configs = configs;
boolean hasKerberos = jaasContexts.containsKey(SaslConfigs.GSSAPI_MECHANISM);
if (hasKerberos) {
String defaultRealm;
try {
defaultRealm = defaultKerberosRealm();
} catch (Exception ke) {
defaultRealm = "";
}
@SuppressWarnings("unchecked") List<String> principalToLocalRules = (List<String>) configs.get(BrokerSecurityConfigs.SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES_CONFIG);
if (principalToLocalRules != null)
kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(defaultRealm, principalToLocalRules);
}
for (Map.Entry<String, JaasContext> entry : jaasContexts.entrySet()) {
String mechanism = entry.getKey();
// With static JAAS configuration, use KerberosLogin if Kerberos is enabled. With dynamic JAAS configuration,
// use KerberosLogin only for the LoginContext corresponding to GSSAPI
LoginManager loginManager = LoginManager.acquireLoginManager(entry.getValue(), mechanism, hasKerberos, configs);
loginManagers.put(mechanism, loginManager);
subjects.put(mechanism, loginManager.subject());
}
if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
// Disable SSL client authentication as we are using SASL authentication
this.sslFactory = new SslFactory(mode, "none", isInterBrokerListener);
this.sslFactory.configure(configs);
}
} catch (Exception e) {
close();
throw new KafkaException(e);
}
}
use of org.apache.kafka.common.security.authenticator.LoginManager in project ranger by apache.
the class RangerKafkaAuthorizer method configure.
/*
* (non-Javadoc)
*
* @see kafka.security.auth.Authorizer#configure(Map<String, Object>)
*/
@Override
public void configure(Map<String, ?> configs) {
RangerBasePlugin me = rangerPlugin;
if (me == null) {
synchronized (RangerKafkaAuthorizer.class) {
me = rangerPlugin;
if (me == null) {
try {
// Possible to override JAAS configuration which is used by Ranger, otherwise
// SASL_PLAINTEXT is used, which force Kafka to use 'sasl_plaintext.KafkaServer',
// if it's not defined, then it reverts to 'KafkaServer' configuration.
final Object jaasContext = configs.get("ranger.jaas.context");
final String listenerName = (jaasContext instanceof String && StringUtils.isNotEmpty((String) jaasContext)) ? (String) jaasContext : SecurityProtocol.SASL_PLAINTEXT.name();
JaasContext context = JaasContext.load(Type.SERVER, new ListenerName(listenerName), configs);
LoginManager loginManager = LoginManager.acquireLoginManager(context, true, configs);
Subject subject = loginManager.subject();
UserGroupInformation ugi = MiscUtil.createUGIFromSubject(subject);
if (ugi != null) {
MiscUtil.setUGILoginUser(ugi, subject);
}
logger.info("LoginUser=" + MiscUtil.getUGILoginUser());
} catch (Throwable t) {
logger.error("Error getting principal.", t);
}
me = rangerPlugin = new RangerBasePlugin("kafka", "kafka");
}
}
}
logger.info("Calling plugin.init()");
rangerPlugin.init();
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
rangerPlugin.setResultProcessor(auditHandler);
}
use of org.apache.kafka.common.security.authenticator.LoginManager in project apache-kafka-on-k8s by banzaicloud.
the class SaslChannelBuilder method buildChannel.
@Override
public KafkaChannel buildChannel(String id, SelectionKey key, int maxReceiveSize, MemoryPool memoryPool) throws KafkaException {
try {
SocketChannel socketChannel = (SocketChannel) key.channel();
Socket socket = socketChannel.socket();
TransportLayer transportLayer = buildTransportLayer(id, key, socketChannel);
Authenticator authenticator;
if (mode == Mode.SERVER) {
authenticator = buildServerAuthenticator(configs, id, transportLayer, subjects);
} else {
LoginManager loginManager = loginManagers.get(clientSaslMechanism);
authenticator = buildClientAuthenticator(configs, id, socket.getInetAddress().getHostName(), loginManager.serviceName(), transportLayer, loginManager.subject());
}
return new KafkaChannel(id, transportLayer, authenticator, maxReceiveSize, memoryPool != null ? memoryPool : MemoryPool.NONE);
} catch (Exception e) {
log.info("Failed to create channel due to ", e);
throw new KafkaException(e);
}
}
use of org.apache.kafka.common.security.authenticator.LoginManager in project kafka by apache.
the class SaslChannelBuilder method configure.
@SuppressWarnings("unchecked")
@Override
public void configure(Map<String, ?> configs) throws KafkaException {
try {
this.configs = configs;
if (mode == Mode.SERVER) {
createServerCallbackHandlers(configs);
createConnectionsMaxReauthMsMap(configs);
} else
createClientCallbackHandler(configs);
for (Map.Entry<String, AuthenticateCallbackHandler> entry : saslCallbackHandlers.entrySet()) {
String mechanism = entry.getKey();
entry.getValue().configure(configs, mechanism, jaasContexts.get(mechanism).configurationEntries());
}
Class<? extends Login> defaultLoginClass = defaultLoginClass();
if (mode == Mode.SERVER && jaasContexts.containsKey(SaslConfigs.GSSAPI_MECHANISM)) {
String defaultRealm;
try {
defaultRealm = defaultKerberosRealm();
} catch (Exception ke) {
defaultRealm = "";
}
List<String> principalToLocalRules = (List<String>) configs.get(BrokerSecurityConfigs.SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES_CONFIG);
if (principalToLocalRules != null)
kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(defaultRealm, principalToLocalRules);
}
for (Map.Entry<String, JaasContext> entry : jaasContexts.entrySet()) {
String mechanism = entry.getKey();
// With static JAAS configuration, use KerberosLogin if Kerberos is enabled. With dynamic JAAS configuration,
// use KerberosLogin only for the LoginContext corresponding to GSSAPI
LoginManager loginManager = LoginManager.acquireLoginManager(entry.getValue(), mechanism, defaultLoginClass, configs);
loginManagers.put(mechanism, loginManager);
Subject subject = loginManager.subject();
subjects.put(mechanism, subject);
if (mode == Mode.SERVER && mechanism.equals(SaslConfigs.GSSAPI_MECHANISM))
maybeAddNativeGssapiCredentials(subject);
}
if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
// Disable SSL client authentication as we are using SASL authentication
this.sslFactory = new SslFactory(mode, sslClientAuthOverride, isInterBrokerListener);
this.sslFactory.configure(configs);
}
} catch (Throwable e) {
close();
throw new KafkaException(e);
}
}
use of org.apache.kafka.common.security.authenticator.LoginManager in project kafka by apache.
the class SaslChannelBuilder method buildChannel.
@Override
public KafkaChannel buildChannel(String id, SelectionKey key, int maxReceiveSize, MemoryPool memoryPool, ChannelMetadataRegistry metadataRegistry) throws KafkaException {
try {
SocketChannel socketChannel = (SocketChannel) key.channel();
Socket socket = socketChannel.socket();
TransportLayer transportLayer = buildTransportLayer(id, key, socketChannel, metadataRegistry);
Supplier<Authenticator> authenticatorCreator;
if (mode == Mode.SERVER) {
authenticatorCreator = () -> buildServerAuthenticator(configs, Collections.unmodifiableMap(saslCallbackHandlers), id, transportLayer, Collections.unmodifiableMap(subjects), Collections.unmodifiableMap(connectionsMaxReauthMsByMechanism), metadataRegistry);
} else {
LoginManager loginManager = loginManagers.get(clientSaslMechanism);
authenticatorCreator = () -> buildClientAuthenticator(configs, saslCallbackHandlers.get(clientSaslMechanism), id, socket.getInetAddress().getHostName(), loginManager.serviceName(), transportLayer, subjects.get(clientSaslMechanism));
}
return new KafkaChannel(id, transportLayer, authenticatorCreator, maxReceiveSize, memoryPool != null ? memoryPool : MemoryPool.NONE, metadataRegistry);
} catch (Exception e) {
log.info("Failed to create channel due to ", e);
throw new KafkaException(e);
}
}
Aggregations