Example 1 with LoginManager
use of org.apache.kafka.common.security.authenticator.LoginManager in project apache-kafka-on-k8s by banzaicloud.
the class SaslChannelBuilder method configure.
@Override
public void configure(Map<String, ?> configs) throws KafkaException {
try {
this.configs = configs;
boolean hasKerberos = jaasContexts.containsKey(SaslConfigs.GSSAPI_MECHANISM);
if (hasKerberos) {
String defaultRealm;
try {
defaultRealm = defaultKerberosRealm();
} catch (Exception ke) {
defaultRealm = "";
}
@SuppressWarnings("unchecked") List<String> principalToLocalRules = (List<String>) configs.get(BrokerSecurityConfigs.SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES_CONFIG);
if (principalToLocalRules != null)
kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(defaultRealm, principalToLocalRules);
}
for (Map.Entry<String, JaasContext> entry : jaasContexts.entrySet()) {
String mechanism = entry.getKey();
// With static JAAS configuration, use KerberosLogin if Kerberos is enabled. With dynamic JAAS configuration,
// use KerberosLogin only for the LoginContext corresponding to GSSAPI
LoginManager loginManager = LoginManager.acquireLoginManager(entry.getValue(), mechanism, hasKerberos, configs);
loginManagers.put(mechanism, loginManager);
subjects.put(mechanism, loginManager.subject());
}
if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
// Disable SSL client authentication as we are using SASL authentication
this.sslFactory = new SslFactory(mode, "none", isInterBrokerListener);
this.sslFactory.configure(configs);
}
} catch (Exception e) {
close();
throw new KafkaException(e);
}
}
Also used :
JaasContext(org.apache.kafka.common.security.JaasContext)
LoginManager(org.apache.kafka.common.security.authenticator.LoginManager)
List(java.util.List)
KafkaException(org.apache.kafka.common.KafkaException)
HashMap(java.util.HashMap)
Map(java.util.Map)
KafkaException(org.apache.kafka.common.KafkaException)
IOException(java.io.IOException)
InvocationTargetException(java.lang.reflect.InvocationTargetException)
SslFactory(org.apache.kafka.common.security.ssl.SslFactory)
Example 2 with LoginManager
use of org.apache.kafka.common.security.authenticator.LoginManager in project ranger by apache.
the class RangerKafkaAuthorizer method configure.
/*
* (non-Javadoc)
*
* @see kafka.security.auth.Authorizer#configure(Map<String, Object>)
*/
@Override
public void configure(Map<String, ?> configs) {
RangerBasePlugin me = rangerPlugin;
if (me == null) {
synchronized (RangerKafkaAuthorizer.class) {
me = rangerPlugin;
if (me == null) {
try {
// Possible to override JAAS configuration which is used by Ranger, otherwise
// SASL_PLAINTEXT is used, which force Kafka to use 'sasl_plaintext.KafkaServer',
// if it's not defined, then it reverts to 'KafkaServer' configuration.
final Object jaasContext = configs.get("ranger.jaas.context");
final String listenerName = (jaasContext instanceof String && StringUtils.isNotEmpty((String) jaasContext)) ? (String) jaasContext : SecurityProtocol.SASL_PLAINTEXT.name();
JaasContext context = JaasContext.load(Type.SERVER, new ListenerName(listenerName), configs);
LoginManager loginManager = LoginManager.acquireLoginManager(context, true, configs);
Subject subject = loginManager.subject();
UserGroupInformation ugi = MiscUtil.createUGIFromSubject(subject);
if (ugi != null) {
MiscUtil.setUGILoginUser(ugi, subject);
}
logger.info("LoginUser=" + MiscUtil.getUGILoginUser());
} catch (Throwable t) {
logger.error("Error getting principal.", t);
}
me = rangerPlugin = new RangerBasePlugin("kafka", "kafka");
}
}
}
logger.info("Calling plugin.init()");
rangerPlugin.init();
RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
rangerPlugin.setResultProcessor(auditHandler);
}
Also used :
JaasContext(org.apache.kafka.common.security.JaasContext)
LoginManager(org.apache.kafka.common.security.authenticator.LoginManager)
RangerDefaultAuditHandler(org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)
ListenerName(org.apache.kafka.common.network.ListenerName)
RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin)
Subject(javax.security.auth.Subject)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 3 with LoginManager
use of org.apache.kafka.common.security.authenticator.LoginManager in project apache-kafka-on-k8s by banzaicloud.
the class SaslChannelBuilder method buildChannel.
@Override
public KafkaChannel buildChannel(String id, SelectionKey key, int maxReceiveSize, MemoryPool memoryPool) throws KafkaException {
try {
SocketChannel socketChannel = (SocketChannel) key.channel();
Socket socket = socketChannel.socket();
TransportLayer transportLayer = buildTransportLayer(id, key, socketChannel);
Authenticator authenticator;
if (mode == Mode.SERVER) {
authenticator = buildServerAuthenticator(configs, id, transportLayer, subjects);
} else {
LoginManager loginManager = loginManagers.get(clientSaslMechanism);
authenticator = buildClientAuthenticator(configs, id, socket.getInetAddress().getHostName(), loginManager.serviceName(), transportLayer, loginManager.subject());
}
return new KafkaChannel(id, transportLayer, authenticator, maxReceiveSize, memoryPool != null ? memoryPool : MemoryPool.NONE);
} catch (Exception e) {
log.info("Failed to create channel due to ", e);
throw new KafkaException(e);
}
}
Also used :
SocketChannel(java.nio.channels.SocketChannel)
LoginManager(org.apache.kafka.common.security.authenticator.LoginManager)
KafkaException(org.apache.kafka.common.KafkaException)
Socket(java.net.Socket)
SaslServerAuthenticator(org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
SaslClientAuthenticator(org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
KafkaException(org.apache.kafka.common.KafkaException)
IOException(java.io.IOException)
InvocationTargetException(java.lang.reflect.InvocationTargetException)
Example 4 with LoginManager
use of org.apache.kafka.common.security.authenticator.LoginManager in project kafka by apache.
the class SaslChannelBuilder method configure.
@SuppressWarnings("unchecked")
@Override
public void configure(Map<String, ?> configs) throws KafkaException {
try {
this.configs = configs;
if (mode == Mode.SERVER) {
createServerCallbackHandlers(configs);
createConnectionsMaxReauthMsMap(configs);
} else
createClientCallbackHandler(configs);
for (Map.Entry<String, AuthenticateCallbackHandler> entry : saslCallbackHandlers.entrySet()) {
String mechanism = entry.getKey();
entry.getValue().configure(configs, mechanism, jaasContexts.get(mechanism).configurationEntries());
}
Class<? extends Login> defaultLoginClass = defaultLoginClass();
if (mode == Mode.SERVER && jaasContexts.containsKey(SaslConfigs.GSSAPI_MECHANISM)) {
String defaultRealm;
try {
defaultRealm = defaultKerberosRealm();
} catch (Exception ke) {
defaultRealm = "";
}
List<String> principalToLocalRules = (List<String>) configs.get(BrokerSecurityConfigs.SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES_CONFIG);
if (principalToLocalRules != null)
kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(defaultRealm, principalToLocalRules);
}
for (Map.Entry<String, JaasContext> entry : jaasContexts.entrySet()) {
String mechanism = entry.getKey();
// With static JAAS configuration, use KerberosLogin if Kerberos is enabled. With dynamic JAAS configuration,
// use KerberosLogin only for the LoginContext corresponding to GSSAPI
LoginManager loginManager = LoginManager.acquireLoginManager(entry.getValue(), mechanism, defaultLoginClass, configs);
loginManagers.put(mechanism, loginManager);
Subject subject = loginManager.subject();
subjects.put(mechanism, subject);
if (mode == Mode.SERVER && mechanism.equals(SaslConfigs.GSSAPI_MECHANISM))
maybeAddNativeGssapiCredentials(subject);
}
if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
// Disable SSL client authentication as we are using SASL authentication
this.sslFactory = new SslFactory(mode, sslClientAuthOverride, isInterBrokerListener);
this.sslFactory.configure(configs);
}
} catch (Throwable e) {
close();
throw new KafkaException(e);
}
}
Also used :
LoginManager(org.apache.kafka.common.security.authenticator.LoginManager)
AuthenticateCallbackHandler(org.apache.kafka.common.security.auth.AuthenticateCallbackHandler)
KafkaException(org.apache.kafka.common.KafkaException)
GSSException(org.ietf.jgss.GSSException)
IOException(java.io.IOException)
Subject(javax.security.auth.Subject)
SslFactory(org.apache.kafka.common.security.ssl.SslFactory)
JaasContext(org.apache.kafka.common.security.JaasContext)
List(java.util.List)
KafkaException(org.apache.kafka.common.KafkaException)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 5 with LoginManager
use of org.apache.kafka.common.security.authenticator.LoginManager in project kafka by apache.
the class SaslChannelBuilder method buildChannel.
@Override
public KafkaChannel buildChannel(String id, SelectionKey key, int maxReceiveSize, MemoryPool memoryPool, ChannelMetadataRegistry metadataRegistry) throws KafkaException {
try {
SocketChannel socketChannel = (SocketChannel) key.channel();
Socket socket = socketChannel.socket();
TransportLayer transportLayer = buildTransportLayer(id, key, socketChannel, metadataRegistry);
Supplier<Authenticator> authenticatorCreator;
if (mode == Mode.SERVER) {
authenticatorCreator = () -> buildServerAuthenticator(configs, Collections.unmodifiableMap(saslCallbackHandlers), id, transportLayer, Collections.unmodifiableMap(subjects), Collections.unmodifiableMap(connectionsMaxReauthMsByMechanism), metadataRegistry);
} else {
LoginManager loginManager = loginManagers.get(clientSaslMechanism);
authenticatorCreator = () -> buildClientAuthenticator(configs, saslCallbackHandlers.get(clientSaslMechanism), id, socket.getInetAddress().getHostName(), loginManager.serviceName(), transportLayer, subjects.get(clientSaslMechanism));
}
return new KafkaChannel(id, transportLayer, authenticatorCreator, maxReceiveSize, memoryPool != null ? memoryPool : MemoryPool.NONE, metadataRegistry);
} catch (Exception e) {
log.info("Failed to create channel due to ", e);
throw new KafkaException(e);
}
}
Also used :
SocketChannel(java.nio.channels.SocketChannel)
LoginManager(org.apache.kafka.common.security.authenticator.LoginManager)
KafkaException(org.apache.kafka.common.KafkaException)
Socket(java.net.Socket)
SaslClientAuthenticator(org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
SaslServerAuthenticator(org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
KafkaException(org.apache.kafka.common.KafkaException)
GSSException(org.ietf.jgss.GSSException)
IOException(java.io.IOException)
Aggregations
LoginManager (org.apache.kafka.common.security.authenticator.LoginManager)5
IOException (java.io.IOException)4
KafkaException (org.apache.kafka.common.KafkaException)4
JaasContext (org.apache.kafka.common.security.JaasContext)3
InvocationTargetException (java.lang.reflect.InvocationTargetException)2
Socket (java.net.Socket)2
SocketChannel (java.nio.channels.SocketChannel)2
HashMap (java.util.HashMap)2
List (java.util.List)2
Map (java.util.Map)2
Subject (javax.security.auth.Subject)2
SaslClientAuthenticator (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)2
SaslServerAuthenticator (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)2
SslFactory (org.apache.kafka.common.security.ssl.SslFactory)2
GSSException (org.ietf.jgss.GSSException)2
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1
ListenerName (org.apache.kafka.common.network.ListenerName)1
AuthenticateCallbackHandler (org.apache.kafka.common.security.auth.AuthenticateCallbackHandler)1
RangerDefaultAuditHandler (org.apache.ranger.plugin.audit.RangerDefaultAuditHandler)1
RangerBasePlugin (org.apache.ranger.plugin.service.RangerBasePlugin)1
