Search in sources :

Example 1 with KerberosName

use of org.apache.kafka.common.security.kerberos.KerberosName in project kafka by apache.

the class SaslServerAuthenticator method createSaslKerberosServer.

private SaslServer createSaslKerberosServer(final AuthCallbackHandler saslServerCallbackHandler, final Map<String, ?> configs) throws IOException {
    // server is using a JAAS-authenticated subject: determine service principal name and hostname from kafka server's subject.
    final Principal servicePrincipal = subject.getPrincipals().iterator().next();
    KerberosName kerberosName;
    try {
        kerberosName = KerberosName.parse(servicePrincipal.getName());
    } catch (IllegalArgumentException e) {
        throw new KafkaException("Principal has name with unexpected format " + servicePrincipal);
    }
    final String servicePrincipalName = kerberosName.serviceName();
    final String serviceHostname = kerberosName.hostName();
    LOG.debug("Creating SaslServer for {} with mechanism {}", kerberosName, saslMechanism);
    // As described in http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html:
    // "To enable Java GSS to delegate to the native GSS library and its list of native mechanisms,
    // set the system property "sun.security.jgss.native" to true"
    // "In addition, when performing operations as a particular Subject, for example, Subject.doAs(...)
    // or Subject.doAsPrivileged(...), the to-be-used GSSCredential should be added to Subject's
    // private credential set. Otherwise, the GSS operations will fail since no credential is found."
    boolean usingNativeJgss = Boolean.getBoolean("sun.security.jgss.native");
    if (usingNativeJgss) {
        try {
            GSSManager manager = GSSManager.getInstance();
            // This Oid is used to represent the Kerberos version 5 GSS-API mechanism. It is defined in
            // RFC 1964.
            Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
            GSSName gssName = manager.createName(servicePrincipalName + "@" + serviceHostname, GSSName.NT_HOSTBASED_SERVICE);
            GSSCredential cred = manager.createCredential(gssName, GSSContext.INDEFINITE_LIFETIME, krb5Mechanism, GSSCredential.ACCEPT_ONLY);
            subject.getPrivateCredentials().add(cred);
        } catch (GSSException ex) {
            LOG.warn("Cannot add private credential to subject; clients authentication may fail", ex);
        }
    }
    try {
        return Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {

            public SaslServer run() throws SaslException {
                return Sasl.createSaslServer(saslMechanism, servicePrincipalName, serviceHostname, configs, saslServerCallbackHandler);
            }
        });
    } catch (PrivilegedActionException e) {
        throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e.getCause());
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) PrivilegedActionException(java.security.PrivilegedActionException) SaslServer(javax.security.sasl.SaslServer) KerberosName(org.apache.kafka.common.security.kerberos.KerberosName) Oid(org.ietf.jgss.Oid) SaslException(javax.security.sasl.SaslException) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) KafkaException(org.apache.kafka.common.KafkaException) Principal(java.security.Principal) KafkaPrincipal(org.apache.kafka.common.security.auth.KafkaPrincipal)

Example 2 with KerberosName

use of org.apache.kafka.common.security.kerberos.KerberosName in project kafka by apache.

the class SaslServerCallbackHandler method handleAuthorizeCallback.

private void handleAuthorizeCallback(AuthorizeCallback ac) {
    String authenticationID = ac.getAuthenticationID();
    String authorizationID = ac.getAuthorizationID();
    LOG.info("Successfully authenticated client: authenticationID={}; authorizationID={}.", authenticationID, authorizationID);
    ac.setAuthorized(true);
    KerberosName kerberosName = KerberosName.parse(authenticationID);
    try {
        String userName = kerberosShortNamer.shortName(kerberosName);
        LOG.info("Setting authorizedID: {}", userName);
        ac.setAuthorizedID(userName);
    } catch (IOException e) {
        LOG.error("Failed to set name for '{}' based on Kerberos authentication rules.", kerberosName, e);
    }
}
Also used : KerberosName(org.apache.kafka.common.security.kerberos.KerberosName) IOException(java.io.IOException)

Aggregations

KerberosName (org.apache.kafka.common.security.kerberos.KerberosName)2 IOException (java.io.IOException)1 Principal (java.security.Principal)1 PrivilegedActionException (java.security.PrivilegedActionException)1 SaslException (javax.security.sasl.SaslException)1 SaslServer (javax.security.sasl.SaslServer)1 KafkaException (org.apache.kafka.common.KafkaException)1 KafkaPrincipal (org.apache.kafka.common.security.auth.KafkaPrincipal)1 GSSCredential (org.ietf.jgss.GSSCredential)1 GSSException (org.ietf.jgss.GSSException)1 GSSManager (org.ietf.jgss.GSSManager)1 GSSName (org.ietf.jgss.GSSName)1 Oid (org.ietf.jgss.Oid)1