public void ensurePrincipalUnchanged(KafkaPrincipal reauthenticatedKafkaPrincipal) throws SaslAuthenticationException { if (!previousKafkaPrincipal.equals(reauthenticatedKafkaPrincipal)) { throw new SaslAuthenticationException(String.format( "Cannot change principals during re-authentication from %s.%s: %s.%s", previousKafkaPrincipal.getPrincipalType(), previousKafkaPrincipal.getName(), reauthenticatedKafkaPrincipal.getPrincipalType(), reauthenticatedKafkaPrincipal.getName())); } }
@Override protected Struct toStruct() { short version = version(); Struct struct = new Struct(ApiKeys.CREATE_DELEGATION_TOKEN.requestSchema(version)); Object[] renewersArray = new Object[renewers.size()]; int i = 0; for (KafkaPrincipal principal: renewers) { Struct renewerStruct = struct.instance(RENEWERS_KEY_NAME); renewerStruct.set(PRINCIPAL_TYPE, principal.getPrincipalType()); renewerStruct.set(PRINCIPAL_NAME, principal.getName()); renewersArray[i++] = renewerStruct; } struct.set(RENEWERS_KEY_NAME, renewersArray); struct.set(MAX_LIFE_TIME_KEY_NAME, maxLifeTime); return struct; }
@Test public void testPrincipalBuilderGssapi() throws Exception { SaslServer server = mock(SaslServer.class); KerberosShortNamer kerberosShortNamer = mock(KerberosShortNamer.class); when(server.getMechanismName()).thenReturn(SaslConfigs.GSSAPI_MECHANISM); when(server.getAuthorizationID()).thenReturn("foo/host@REALM.COM"); when(kerberosShortNamer.shortName(any())).thenReturn("foo"); DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(kerberosShortNamer, null); KafkaPrincipal principal = builder.build(new SaslAuthenticationContext(server, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(server, atLeastOnce()).getMechanismName(); verify(server, atLeastOnce()).getAuthorizationID(); verify(kerberosShortNamer, atLeastOnce()).shortName(any()); }
@Test public void testPrincipalBuilderScram() throws Exception { SaslServer server = mock(SaslServer.class); when(server.getMechanismName()).thenReturn(ScramMechanism.SCRAM_SHA_256.mechanismName()); when(server.getAuthorizationID()).thenReturn("foo"); DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(null, null); KafkaPrincipal principal = builder.build(new SaslAuthenticationContext(server, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(server, atLeastOnce()).getMechanismName(); verify(server, atLeastOnce()).getAuthorizationID(); }
@Test @SuppressWarnings("deprecation") public void testUseOldPrincipalBuilderForPlaintextIfProvided() throws Exception { TransportLayer transportLayer = mock(TransportLayer.class); Authenticator authenticator = mock(Authenticator.class); PrincipalBuilder oldPrincipalBuilder = mock(PrincipalBuilder.class); when(oldPrincipalBuilder.buildPrincipal(any(), any())).thenReturn(new DummyPrincipal("foo")); DefaultKafkaPrincipalBuilder builder = DefaultKafkaPrincipalBuilder.fromOldPrincipalBuilder(authenticator, transportLayer, oldPrincipalBuilder, null); KafkaPrincipal principal = builder.build(new PlaintextAuthenticationContext( InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(oldPrincipalBuilder).buildPrincipal(transportLayer, authenticator); verify(oldPrincipalBuilder).close(); }
@Override protected Struct toStruct() { short version = version(); Struct struct = new Struct(ApiKeys.DESCRIBE_DELEGATION_TOKEN.requestSchema(version)); if (owners == null) { struct.set(OWNER_KEY_NAME, null); } else { Object[] ownersArray = new Object[owners.size()]; int i = 0; for (KafkaPrincipal principal: owners) { Struct ownerStruct = struct.instance(OWNER_KEY_NAME); ownerStruct.set(PRINCIPAL_TYPE, principal.getPrincipalType()); ownerStruct.set(PRINCIPAL_NAME, principal.getName()); ownersArray[i++] = ownerStruct; } struct.set(OWNER_KEY_NAME, ownersArray); } return struct; }
@Test public void testCreateOldPrincipalBuilder() throws Exception { TransportLayer transportLayer = mock(TransportLayer.class); Authenticator authenticator = mock(Authenticator.class); Map<String, Object> configs = new HashMap<>(); configs.put(BrokerSecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, OldPrincipalBuilder.class); KafkaPrincipalBuilder builder = ChannelBuilders.createPrincipalBuilder(configs, transportLayer, authenticator, null, null); // test old principal builder is properly configured and delegated to assertTrue(OldPrincipalBuilder.configured); // test delegation KafkaPrincipal principal = builder.build(new PlaintextAuthenticationContext(InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name())); assertEquals(OldPrincipalBuilder.PRINCIPAL_NAME, principal.getName()); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); }
@Test @SuppressWarnings("deprecation") public void testUseOldPrincipalBuilderForSslIfProvided() throws Exception { TransportLayer transportLayer = mock(TransportLayer.class); Authenticator authenticator = mock(Authenticator.class); PrincipalBuilder oldPrincipalBuilder = mock(PrincipalBuilder.class); SSLSession session = mock(SSLSession.class); when(oldPrincipalBuilder.buildPrincipal(any(), any())) .thenReturn(new DummyPrincipal("foo")); DefaultKafkaPrincipalBuilder builder = DefaultKafkaPrincipalBuilder.fromOldPrincipalBuilder(authenticator, transportLayer, oldPrincipalBuilder, null); KafkaPrincipal principal = builder.build( new SslAuthenticationContext(session, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(oldPrincipalBuilder).buildPrincipal(transportLayer, authenticator); verify(oldPrincipalBuilder).close(); }
@Test public void testUseSessionPeerPrincipalForSsl() throws Exception { SSLSession session = mock(SSLSession.class); when(session.getPeerPrincipal()).thenReturn(new DummyPrincipal("foo")); DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(null, null); KafkaPrincipal principal = builder.build( new SslAuthenticationContext(session, InetAddress.getLocalHost(), SecurityProtocol.PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(session, atLeastOnce()).getPeerPrincipal(); }
@Test public void testPrincipalNameCanContainSeparator() { String name = "name:with:separator:in:it"; KafkaPrincipal principal = SecurityUtils.parseKafkaPrincipal(KafkaPrincipal.USER_TYPE + ":" + name); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals(name, principal.getName()); }
Struct singleRequestStruct = struct.instance(TOKEN_DETAILS_KEY_NAME); Struct ownerStruct = singleRequestStruct.instance(OWNER_KEY_NAME); ownerStruct.set(PRINCIPAL_TYPE, tokenInfo.owner().getPrincipalType()); ownerStruct.set(PRINCIPAL_NAME, tokenInfo.owner().getName()); singleRequestStruct.set(OWNER_KEY_NAME, ownerStruct); for (KafkaPrincipal principal: tokenInfo.renewers()) { Struct renewerStruct = singleRequestStruct.instance(RENEWERS_KEY_NAME); renewerStruct.set(PRINCIPAL_TYPE, principal.getPrincipalType()); renewerStruct.set(PRINCIPAL_NAME, principal.getName()); renewersArray[i++] = renewerStruct;
@Test public void testParseKafkaPrincipalWithNonUserPrincipalType() { String name = "foo"; String principalType = "Group"; KafkaPrincipal principal = SecurityUtils.parseKafkaPrincipal(principalType + ":" + name); assertEquals(principalType, principal.getPrincipalType()); assertEquals(name, principal.getName()); }
@Override protected Struct toStruct(short version) { Struct struct = new Struct(ApiKeys.CREATE_DELEGATION_TOKEN.responseSchema(version)); struct.set(ERROR_CODE, error.code()); Struct ownerStruct = struct.instance(OWNER_KEY_NAME); ownerStruct.set(PRINCIPAL_TYPE, owner.getPrincipalType()); ownerStruct.set(PRINCIPAL_NAME, owner.getName()); struct.set(OWNER_KEY_NAME, ownerStruct); struct.set(ISSUE_TIMESTAMP_KEY_NAME, issueTimestamp); struct.set(EXPIRY_TIMESTAMP_NAME, expiryTimestamp); struct.set(MAX_TIMESTAMP_NAME, maxTimestamp); struct.set(TOKEN_ID_KEY_NAME, tokenId); struct.set(HMAC_KEY_NAME, hmac); struct.setIfExists(THROTTLE_TIME_MS, throttleTimeMs); return struct; }
public Map<Resource, scala.collection.immutable.Set<Acl>> getAcls(KafkaPrincipal principal) { if (principal.getPrincipalType().toLowerCase().equals("group")) { List<String> roles = getRolesforGroup(principal.getName()); return getAclsForRoles(roles); } else { LOG.info("Did not recognize Principal type: " + principal.getPrincipalType() + ". Returning Acls for all principals."); return getAcls(); } }
private void verifyAcls(scala.collection.immutable.Set<Acl> acls) { final Iterator<Acl> iterator = acls.iterator(); while (iterator.hasNext()) { final Acl acl = iterator.next(); assert acl.principal().getPrincipalType().toLowerCase().equals("role") : "Only Acls with KafkaPrincipal of type \"role;\" is supported."; assert acl.permissionType().name().equals(Allow.name()) : "Only Acls with Permission of type \"Allow\" is supported."; } }
KafkaPrincipal principal = iter2.next().principal(); if (KafkaPrincipal.USER_TYPE.equals(principal.getPrincipalType())) {