public String owner(String tokenId) { TokenInformation tokenInfo = tokenCache.get(tokenId); return tokenInfo == null ? null : tokenInfo.owner().getName(); }
public void ensurePrincipalUnchanged(KafkaPrincipal reauthenticatedKafkaPrincipal) throws SaslAuthenticationException { if (!previousKafkaPrincipal.equals(reauthenticatedKafkaPrincipal)) { throw new SaslAuthenticationException(String.format( "Cannot change principals during re-authentication from %s.%s: %s.%s", previousKafkaPrincipal.getPrincipalType(), previousKafkaPrincipal.getName(), reauthenticatedKafkaPrincipal.getPrincipalType(), reauthenticatedKafkaPrincipal.getName())); } }
@Test public void testPrincipalBuilderGssapi() throws Exception { SaslServer server = mock(SaslServer.class); KerberosShortNamer kerberosShortNamer = mock(KerberosShortNamer.class); when(server.getMechanismName()).thenReturn(SaslConfigs.GSSAPI_MECHANISM); when(server.getAuthorizationID()).thenReturn("foo/host@REALM.COM"); when(kerberosShortNamer.shortName(any())).thenReturn("foo"); DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(kerberosShortNamer, null); KafkaPrincipal principal = builder.build(new SaslAuthenticationContext(server, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(server, atLeastOnce()).getMechanismName(); verify(server, atLeastOnce()).getAuthorizationID(); verify(kerberosShortNamer, atLeastOnce()).shortName(any()); }
@Override protected Struct toStruct() { short version = version(); Struct struct = new Struct(ApiKeys.CREATE_DELEGATION_TOKEN.requestSchema(version)); Object[] renewersArray = new Object[renewers.size()]; int i = 0; for (KafkaPrincipal principal: renewers) { Struct renewerStruct = struct.instance(RENEWERS_KEY_NAME); renewerStruct.set(PRINCIPAL_TYPE, principal.getPrincipalType()); renewerStruct.set(PRINCIPAL_NAME, principal.getName()); renewersArray[i++] = renewerStruct; } struct.set(RENEWERS_KEY_NAME, renewersArray); struct.set(MAX_LIFE_TIME_KEY_NAME, maxLifeTime); return struct; }
@Test public void testPrincipalBuilderScram() throws Exception { SaslServer server = mock(SaslServer.class); when(server.getMechanismName()).thenReturn(ScramMechanism.SCRAM_SHA_256.mechanismName()); when(server.getAuthorizationID()).thenReturn("foo"); DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(null, null); KafkaPrincipal principal = builder.build(new SaslAuthenticationContext(server, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(server, atLeastOnce()).getMechanismName(); verify(server, atLeastOnce()).getAuthorizationID(); }
@Test public void testPrincipalWithSslPrincipalMapper() throws Exception { SSLSession session = mock(SSLSession.class); when(session.getPeerPrincipal()).thenReturn(new X500Principal("CN=Duke, OU=ServiceUsers, O=Org, C=US")) .thenReturn(new X500Principal("CN=Duke, OU=SME, O=mycp, L=Fulton, ST=MD, C=US")) .thenReturn(new X500Principal("CN=duke, OU=JavaSoft, O=Sun Microsystems")) .thenReturn(new X500Principal("OU=JavaSoft, O=Sun Microsystems, C=US")); List<String> rules = Arrays.asList( "RULE:^CN=(.*),OU=ServiceUsers.*$/$1/L", "RULE:^CN=(.*),OU=(.*),O=(.*),L=(.*),ST=(.*),C=(.*)$/$1@$2/L", "RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/U", "DEFAULT" ); SslPrincipalMapper mapper = SslPrincipalMapper.fromRules(rules); DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(null, mapper); SslAuthenticationContext sslContext = new SslAuthenticationContext(session, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name()); KafkaPrincipal principal = builder.build(sslContext); assertEquals("duke", principal.getName()); principal = builder.build(sslContext); assertEquals("duke@sme", principal.getName()); principal = builder.build(sslContext); assertEquals("DUKE", principal.getName()); principal = builder.build(sslContext); assertEquals("OU=JavaSoft,O=Sun Microsystems,C=US", principal.getName()); builder.close(); verify(session, times(4)).getPeerPrincipal(); }
@Test @SuppressWarnings("deprecation") public void testUseOldPrincipalBuilderForPlaintextIfProvided() throws Exception { TransportLayer transportLayer = mock(TransportLayer.class); Authenticator authenticator = mock(Authenticator.class); PrincipalBuilder oldPrincipalBuilder = mock(PrincipalBuilder.class); when(oldPrincipalBuilder.buildPrincipal(any(), any())).thenReturn(new DummyPrincipal("foo")); DefaultKafkaPrincipalBuilder builder = DefaultKafkaPrincipalBuilder.fromOldPrincipalBuilder(authenticator, transportLayer, oldPrincipalBuilder, null); KafkaPrincipal principal = builder.build(new PlaintextAuthenticationContext( InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(oldPrincipalBuilder).buildPrincipal(transportLayer, authenticator); verify(oldPrincipalBuilder).close(); }
@Override protected Struct toStruct() { short version = version(); Struct struct = new Struct(ApiKeys.DESCRIBE_DELEGATION_TOKEN.requestSchema(version)); if (owners == null) { struct.set(OWNER_KEY_NAME, null); } else { Object[] ownersArray = new Object[owners.size()]; int i = 0; for (KafkaPrincipal principal: owners) { Struct ownerStruct = struct.instance(OWNER_KEY_NAME); ownerStruct.set(PRINCIPAL_TYPE, principal.getPrincipalType()); ownerStruct.set(PRINCIPAL_NAME, principal.getName()); ownersArray[i++] = ownerStruct; } struct.set(OWNER_KEY_NAME, ownersArray); } return struct; }
@Test public void testCreateOldPrincipalBuilder() throws Exception { TransportLayer transportLayer = mock(TransportLayer.class); Authenticator authenticator = mock(Authenticator.class); Map<String, Object> configs = new HashMap<>(); configs.put(BrokerSecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, OldPrincipalBuilder.class); KafkaPrincipalBuilder builder = ChannelBuilders.createPrincipalBuilder(configs, transportLayer, authenticator, null, null); // test old principal builder is properly configured and delegated to assertTrue(OldPrincipalBuilder.configured); // test delegation KafkaPrincipal principal = builder.build(new PlaintextAuthenticationContext(InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name())); assertEquals(OldPrincipalBuilder.PRINCIPAL_NAME, principal.getName()); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); }
@Test @SuppressWarnings("deprecation") public void testUseOldPrincipalBuilderForSslIfProvided() throws Exception { TransportLayer transportLayer = mock(TransportLayer.class); Authenticator authenticator = mock(Authenticator.class); PrincipalBuilder oldPrincipalBuilder = mock(PrincipalBuilder.class); SSLSession session = mock(SSLSession.class); when(oldPrincipalBuilder.buildPrincipal(any(), any())) .thenReturn(new DummyPrincipal("foo")); DefaultKafkaPrincipalBuilder builder = DefaultKafkaPrincipalBuilder.fromOldPrincipalBuilder(authenticator, transportLayer, oldPrincipalBuilder, null); KafkaPrincipal principal = builder.build( new SslAuthenticationContext(session, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(oldPrincipalBuilder).buildPrincipal(transportLayer, authenticator); verify(oldPrincipalBuilder).close(); }
@Test public void testUseSessionPeerPrincipalForSsl() throws Exception { SSLSession session = mock(SSLSession.class); when(session.getPeerPrincipal()).thenReturn(new DummyPrincipal("foo")); DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(null, null); KafkaPrincipal principal = builder.build( new SslAuthenticationContext(session, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(session, atLeastOnce()).getPeerPrincipal(); }
@Test public void testPrincipalNameCanContainSeparator() { String name = "name:with:separator:in:it"; KafkaPrincipal principal = SecurityUtils.parseKafkaPrincipal(KafkaPrincipal.USER_TYPE + ":" + name); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals(name, principal.getName()); }
Struct ownerStruct = singleRequestStruct.instance(OWNER_KEY_NAME); ownerStruct.set(PRINCIPAL_TYPE, tokenInfo.owner().getPrincipalType()); ownerStruct.set(PRINCIPAL_NAME, tokenInfo.owner().getName()); singleRequestStruct.set(OWNER_KEY_NAME, ownerStruct); singleRequestStruct.set(ISSUE_TIMESTAMP_KEY_NAME, tokenInfo.issueTimestamp()); Struct renewerStruct = singleRequestStruct.instance(RENEWERS_KEY_NAME); renewerStruct.set(PRINCIPAL_TYPE, principal.getPrincipalType()); renewerStruct.set(PRINCIPAL_NAME, principal.getName()); renewersArray[i++] = renewerStruct;
@Test public void testParseKafkaPrincipalWithNonUserPrincipalType() { String name = "foo"; String principalType = "Group"; KafkaPrincipal principal = SecurityUtils.parseKafkaPrincipal(principalType + ":" + name); assertEquals(principalType, principal.getPrincipalType()); assertEquals(name, principal.getName()); }
@Override protected Struct toStruct(short version) { Struct struct = new Struct(ApiKeys.CREATE_DELEGATION_TOKEN.responseSchema(version)); struct.set(ERROR_CODE, error.code()); Struct ownerStruct = struct.instance(OWNER_KEY_NAME); ownerStruct.set(PRINCIPAL_TYPE, owner.getPrincipalType()); ownerStruct.set(PRINCIPAL_NAME, owner.getName()); struct.set(OWNER_KEY_NAME, ownerStruct); struct.set(ISSUE_TIMESTAMP_KEY_NAME, issueTimestamp); struct.set(EXPIRY_TIMESTAMP_NAME, expiryTimestamp); struct.set(MAX_TIMESTAMP_NAME, maxTimestamp); struct.set(TOKEN_ID_KEY_NAME, tokenId); struct.set(HMAC_KEY_NAME, hmac); struct.setIfExists(THROTTLE_TIME_MS, throttleTimeMs); return struct; }
private String getRole(Acl acl) { return acl.principal().getName(); }
private String getName(RequestChannel.Session session) { final String principalName = session.principal().getName(); int start = principalName.indexOf("CN="); if (start >= 0) { String tmpName, name = ""; tmpName = principalName.substring(start + 3); int end = tmpName.indexOf(","); if (end > 0) { name = tmpName.substring(0, end); } else { name = tmpName; } return name; } else { return principalName; } } }
public Map<Resource, scala.collection.immutable.Set<Acl>> getAcls(KafkaPrincipal principal) { if (principal.getPrincipalType().toLowerCase().equals("group")) { List<String> roles = getRolesforGroup(principal.getName()); return getAclsForRoles(roles); } else { LOG.info("Did not recognize Principal type: " + principal.getPrincipalType() + ". Returning Acls for all principals."); return getAcls(); } }
String username = KafkaUserModel.decodeUsername(principal.getName());