public KafkaPrincipal principal() { return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, clientPrincipalName); }
private KafkaPrincipal convertToKafkaPrincipal(Principal principal) { return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, principal.getName()); }
public static KafkaPrincipal parseKafkaPrincipal(String str) { if (str == null || str.isEmpty()) { throw new IllegalArgumentException("expected a string in format principalType:principalName but got " + str); } String[] split = str.split(":", 2); if (split.length != 2) { throw new IllegalArgumentException("expected a string in format principalType:principalName but got " + str); } return new KafkaPrincipal(split[0], split[1]); }
private KafkaPrincipal applySslPrincipalMapper(Principal principal) { try { if (!(principal instanceof X500Principal) || principal == KafkaPrincipal.ANONYMOUS) { return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, principal.getName()); } else { return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, sslPrincipalMapper.getName(principal.getName())); } } catch (IOException e) { throw new KafkaException("Failed to map name for '" + principal.getName() + "' based on SSL principal mapping rules.", e); } }
public DescribeDelegationTokenRequest(Struct struct, short versionId) { super(ApiKeys.DESCRIBE_DELEGATION_TOKEN, versionId); Object[] ownerArray = struct.getArray(OWNER_KEY_NAME); if (ownerArray != null) { owners = new ArrayList<>(); for (Object ownerObj : ownerArray) { Struct ownerObjStruct = (Struct) ownerObj; String principalType = ownerObjStruct.get(PRINCIPAL_TYPE); String principalName = ownerObjStruct.get(PRINCIPAL_NAME); owners.add(new KafkaPrincipal(principalType, principalName)); } } else owners = null; }
public CreateDelegationTokenRequest(Struct struct, short version) { super(ApiKeys.CREATE_DELEGATION_TOKEN, version); maxLifeTime = struct.getLong(MAX_LIFE_TIME_KEY_NAME); Object[] renewerArray = struct.getArray(RENEWERS_KEY_NAME); renewers = new ArrayList<>(); if (renewerArray != null) { for (Object renewerObj : renewerArray) { Struct renewerObjStruct = (Struct) renewerObj; String principalType = renewerObjStruct.get(PRINCIPAL_TYPE); String principalName = renewerObjStruct.get(PRINCIPAL_NAME); renewers.add(new KafkaPrincipal(principalType, principalName)); } } }
private KafkaPrincipal applyKerberosShortNamer(String authorizationId) { KerberosName kerberosName = KerberosName.parse(authorizationId); try { String shortName = kerberosShortNamer.shortName(kerberosName); return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, shortName); } catch (IOException e) { throw new KafkaException("Failed to set name for '" + kerberosName + "' based on Kerberos authentication rules.", e); } }
@Test public void testEqualsAndHashCode() { String name = "KafkaUser"; KafkaPrincipal principal1 = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, name); KafkaPrincipal principal2 = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, name); Assert.assertEquals(principal1.hashCode(), principal2.hashCode()); Assert.assertEquals(principal1, principal2); } }
KafkaPrincipal owner = new KafkaPrincipal(ownerStruct.get(PRINCIPAL_TYPE), ownerStruct.get(PRINCIPAL_NAME)); long issueTimestamp = singleRequestStruct.getLong(ISSUE_TIMESTAMP_KEY_NAME); long expiryTimestamp = singleRequestStruct.getLong(EXPIRY_TIMESTAMP_NAME); String principalType = renewerObjStruct.get(PRINCIPAL_TYPE); String principalName = renewerObjStruct.get(PRINCIPAL_NAME); renewers.add(new KafkaPrincipal(principalType, principalName));
@Override public KafkaPrincipal build(AuthenticationContext context) { if (context instanceof PlaintextAuthenticationContext) { if (oldPrincipalBuilder != null) return convertToKafkaPrincipal(oldPrincipalBuilder.buildPrincipal(transportLayer, authenticator)); return KafkaPrincipal.ANONYMOUS; } else if (context instanceof SslAuthenticationContext) { SSLSession sslSession = ((SslAuthenticationContext) context).session(); if (oldPrincipalBuilder != null) return convertToKafkaPrincipal(oldPrincipalBuilder.buildPrincipal(transportLayer, authenticator)); try { return applySslPrincipalMapper(sslSession.getPeerPrincipal()); } catch (SSLPeerUnverifiedException se) { return KafkaPrincipal.ANONYMOUS; } } else if (context instanceof SaslAuthenticationContext) { SaslServer saslServer = ((SaslAuthenticationContext) context).server(); if (SaslConfigs.GSSAPI_MECHANISM.equals(saslServer.getMechanismName())) return applyKerberosShortNamer(saslServer.getAuthorizationID()); else return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, saslServer.getAuthorizationID()); } else { throw new IllegalArgumentException("Unhandled authentication context type: " + context.getClass().getName()); } }
/** * Writes the supplied ACL information to ZK, where it will be picked up by the brokes authorizer. * * @param username the who. * @param permission the allow|deny. * @param resource the thing * @param ops the what. */ public void addUserAcl(final String username, final AclPermissionType permission, final ResourcePattern resource, final Set<AclOperation> ops) { final KafkaPrincipal principal = new KafkaPrincipal("User", username); final PermissionType scalaPermission = PermissionType$.MODULE$.fromJava(permission); final Set<Acl> javaAcls = ops.stream() .map(Operation$.MODULE$::fromJava) .map(op -> new Acl(principal, scalaPermission, "*", op)) .collect(Collectors.toSet()); final scala.collection.immutable.Set<Acl> scalaAcls = JavaConversions.asScalaSet(javaAcls).toSet(); final kafka.security.auth.ResourceType scalaResType = ResourceType$.MODULE$.fromJava(resource.resourceType()); final kafka.security.auth.Resource scalaResource = new kafka.security.auth.Resource(scalaResType, resource.name(), resource.patternType()); authorizer.addAcls(scalaAcls, scalaResource); addedAcls.add(scalaResource); }
public CreateDelegationTokenResponse(Struct struct) { error = Errors.forCode(struct.get(ERROR_CODE)); Struct ownerStruct = (Struct) struct.get(OWNER_KEY_NAME); String principalType = ownerStruct.get(PRINCIPAL_TYPE); String principalName = ownerStruct.get(PRINCIPAL_NAME); owner = new KafkaPrincipal(principalType, principalName); issueTimestamp = struct.getLong(ISSUE_TIMESTAMP_KEY_NAME); expiryTimestamp = struct.getLong(EXPIRY_TIMESTAMP_NAME); maxTimestamp = struct.getLong(MAX_TIMESTAMP_NAME); tokenId = struct.getString(TOKEN_ID_KEY_NAME); hmac = struct.getBytes(HMAC_KEY_NAME); this.throttleTimeMs = struct.getOrElse(THROTTLE_TIME_MS, DEFAULT_THROTTLE_TIME); }
protected HashMap<Resource, Set<Acl>> getResourceAclsMap(String username, Set<SimpleAclRule> aclRules) { KafkaPrincipal principal = new KafkaPrincipal("User", username); HashMap<Resource, Set<Acl>> map = new HashMap<>(); for (SimpleAclRule rule: aclRules) { Resource resource = rule.getResource().toKafkaResource(); Set<Acl> aclSet = map.get(resource); if (aclSet == null) { aclSet = new HashSet<>(); } aclSet.add(rule.toKafkaAcl(principal)); map.put(resource, aclSet); } return map; } /**
private java.util.Map<Resource, scala.collection.immutable.Set<Acl>> rolePrivilegesToResourceAcls(java.util.Map<String, scala.collection.immutable.Set<TSentryPrivilege>> rolePrivilegesMap) { final java.util.Map<Resource, scala.collection.immutable.Set<Acl>> resourceAclsMap = new HashMap<>(); for (String role : rolePrivilegesMap.keySet()) { scala.collection.immutable.Set<TSentryPrivilege> privileges = rolePrivilegesMap.get(role); final Iterator<TSentryPrivilege> iterator = privileges.iterator(); while (iterator.hasNext()) { TSentryPrivilege privilege = iterator.next(); final List<TAuthorizable> authorizables = privilege.getAuthorizables(); String host = null; String operation = privilege.getAction(); for (TAuthorizable tAuthorizable : authorizables) { if (tAuthorizable.getType().equals(KafkaAuthorizable.AuthorizableType.HOST.name())) { host = tAuthorizable.getName(); } else { Resource resource = new Resource(ResourceType$.MODULE$.fromString(tAuthorizable.getType()), tAuthorizable.getName()); if (operation.equals("*")) { operation = "All"; } Acl acl = new Acl(new KafkaPrincipal("role", role), Allow$.MODULE$, host, Operation$.MODULE$.fromString(operation)); Set<Acl> newAclsJava = new HashSet<Acl>(); newAclsJava.add(acl); addExistingAclsForResource(resourceAclsMap, resource, newAclsJava); final scala.collection.mutable.Set<Acl> aclScala = JavaConversions.asScalaSet(newAclsJava); resourceAclsMap.put(resource, aclScala.<Acl>toSet()); } } } } return resourceAclsMap; }
/** * Returns Set of ACLs applying to single user * * @param username Name of the user * @return */ public Set<SimpleAclRule> getAcls(String username) { log.debug("Searching for ACL rules of user {}", username); Set<SimpleAclRule> result = new HashSet<SimpleAclRule>(); KafkaPrincipal principal = new KafkaPrincipal("User", username); scala.collection.immutable.Map<Resource, scala.collection.immutable.Set<Acl>> rules; try { rules = authorizer.getAcls(principal); } catch (Exception e) { log.error("Failed to get existing Acls rules for user {}", username, e); throw e; } Iterator<Tuple2<Resource, scala.collection.immutable.Set<Acl>>> iter = rules.iterator(); while (iter.hasNext()) { Tuple2<Resource, scala.collection.immutable.Set<Acl>> tuple = iter.next(); SimpleAclRuleResource resource = SimpleAclRuleResource.fromKafkaResource(tuple._1()); scala.collection.immutable.Set<Acl> acls = tuple._2(); Iterator<Acl> iter2 = acls.iterator(); while (iter2.hasNext()) { result.add(SimpleAclRule.fromKafkaAcl(resource, iter2.next())); } } return result; }