public String getMechanismName() { return delegate.getMechanismName(); }
public String getMechanismName() { if (client != null) return client.getMechanismName(); else return server.getMechanismName(); }
@Test public void testPrincipalBuilderGssapi() throws Exception { SaslServer server = mock(SaslServer.class); KerberosShortNamer kerberosShortNamer = mock(KerberosShortNamer.class); when(server.getMechanismName()).thenReturn(SaslConfigs.GSSAPI_MECHANISM); when(server.getAuthorizationID()).thenReturn("foo/host@REALM.COM"); when(kerberosShortNamer.shortName(any())).thenReturn("foo"); DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(kerberosShortNamer, null); KafkaPrincipal principal = builder.build(new SaslAuthenticationContext(server, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(server, atLeastOnce()).getMechanismName(); verify(server, atLeastOnce()).getAuthorizationID(); verify(kerberosShortNamer, atLeastOnce()).shortName(any()); }
@Override public KafkaPrincipal build(AuthenticationContext context) { if (context instanceof PlaintextAuthenticationContext) { if (oldPrincipalBuilder != null) return convertToKafkaPrincipal(oldPrincipalBuilder.buildPrincipal(transportLayer, authenticator)); return KafkaPrincipal.ANONYMOUS; } else if (context instanceof SslAuthenticationContext) { SSLSession sslSession = ((SslAuthenticationContext) context).session(); if (oldPrincipalBuilder != null) return convertToKafkaPrincipal(oldPrincipalBuilder.buildPrincipal(transportLayer, authenticator)); try { return applySslPrincipalMapper(sslSession.getPeerPrincipal()); } catch (SSLPeerUnverifiedException se) { return KafkaPrincipal.ANONYMOUS; } } else if (context instanceof SaslAuthenticationContext) { SaslServer saslServer = ((SaslAuthenticationContext) context).server(); if (SaslConfigs.GSSAPI_MECHANISM.equals(saslServer.getMechanismName())) return applyKerberosShortNamer(saslServer.getAuthorizationID()); else return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, saslServer.getAuthorizationID()); } else { throw new IllegalArgumentException("Unhandled authentication context type: " + context.getClass().getName()); } }
@Test public void testPrincipalBuilderScram() throws Exception { SaslServer server = mock(SaslServer.class); when(server.getMechanismName()).thenReturn(ScramMechanism.SCRAM_SHA_256.mechanismName()); when(server.getAuthorizationID()).thenReturn("foo"); DefaultKafkaPrincipalBuilder builder = new DefaultKafkaPrincipalBuilder(null, null); KafkaPrincipal principal = builder.build(new SaslAuthenticationContext(server, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLocalHost(), SecurityProtocol.SASL_PLAINTEXT.name())); assertEquals(KafkaPrincipal.USER_TYPE, principal.getPrincipalType()); assertEquals("foo", principal.getName()); builder.close(); verify(server, atLeastOnce()).getMechanismName(); verify(server, atLeastOnce()).getAuthorizationID(); }
remoteAddress.set(socket.getInetAddress()); String mechanismName = saslServer.getMechanismName(); userAuthMechanism.set(mechanismName); if (AuthMethod.PLAIN.getMechanismName().equalsIgnoreCase(mechanismName)) {
/** * Tests the {@link Sasl#createSaslServer(String, String, String, Map, CallbackHandler)} method to * work with the {@link PlainSaslServerProvider#MECHANISM} successfully. */ @Test public void createPlainSaslServer() throws Exception { // create plainSaslServer SaslServer server = Sasl.createSaslServer(PlainSaslServerProvider.MECHANISM, "", "", new HashMap<String, String>(), null); Assert.assertNotNull(server); Assert.assertEquals(PlainSaslServerProvider.MECHANISM, server.getMechanismName()); }
@Test public void testCreateServerSimple() throws UnauthenticatedException, SaslException { SaslParticipantProvider simpleProvider = SaslParticipantProvider.Factory.create(AuthType.SIMPLE); Assert.assertNotNull(simpleProvider); SaslServer server = simpleProvider.createSaslServer("test", mConfiguration); Assert.assertNotNull(server); Assert.assertEquals(PlainSaslServerProvider.MECHANISM, server.getMechanismName()); } }
Krb5SaslAuthenticator() { try { // For sasl properties regarding GSSAPI, see: // https://docs.oracle.com/javase/8/docs/technotes/guides/security/sasl/sasl-refguide.html#SERVER // Rely on GSSAPI defaults for Sasl.MAX_BUFFER and Sasl.QOP. Note, however, that gremlin-driver has // Sasl.SERVER_AUTH fixed to true (mutual authentication) and one can configure SSL for enhanced confidentiality, // Sasl policy properties for negotiating the authenticatin mechanism are not relevant here, because // GSSAPI is the only available mechanism for this authenticator final Map props = new HashMap<String, Object>(); final String[] principalParts = principalName.split("/|@"); if (principalParts.length < 3) throw new IllegalArgumentException("Use principal name of format 'service/fqdn@kdcrealm'"); saslServer = Sasl.createSaslServer(mechanism, principalParts[0], principalParts[1], props, Krb5SaslAuthenticator.this); } catch(Exception e) { logger.error("Creating sasl server failed: ", e); } logger.debug("SaslServer created with: " + saslServer.getMechanismName()); }
mechanism = SaslMechanism.get(saslServer.getMechanismName()); } catch (Exception e) { log.error("Failed to process RPC with SASL mechanism {}", saslServer.getMechanismName()); throw e;
@Override public String getMechanismName() { return wrapped.getMechanismName(); }
public String getMechanismName() { return delegate.getMechanismName(); }
public String getMechanismName() { return delegate.getMechanismName(); }
public String getMechanismName() { return delegate.getMechanismName(); }
public String getMechanismName() { if (client != null) return client.getMechanismName(); else return server.getMechanismName(); }
Krb5SaslAuthenticator() { try { // For sasl properties regarding GSSAPI, see: // https://docs.oracle.com/javase/8/docs/technotes/guides/security/sasl/sasl-refguide.html#SERVER // Rely on GSSAPI defaults for Sasl.MAX_BUFFER and Sasl.QOP. Note, however, that gremlin-driver has // Sasl.SERVER_AUTH fixed to true (mutual authentication) and one can configure SSL for enhanced confidentiality, // Sasl policy properties for negotiating the authenticatin mechanism are not relevant here, because // GSSAPI is the only available mechanism for this authenticator final Map props = new HashMap<String, Object>(); final String[] principalParts = principalName.split("/|@"); if (principalParts.length < 3) throw new IllegalArgumentException("Use principal name of format 'service/fqdn@kdcrealm'"); saslServer = Sasl.createSaslServer(mechanism, principalParts[0], principalParts[1], props, Krb5SaslAuthenticator.this); } catch(Exception e) { logger.error("Creating sasl server failed: ", e); } logger.debug("SaslServer created with: " + saslServer.getMechanismName()); }
private static byte[] evaluateResponse(final SaslServer saslServer, final byte[] responseBytes) throws SaslException { try { return UserGroupInformation.getLoginUser() .doAs(new PrivilegedExceptionAction<byte[]>() { @Override public byte[] run() throws Exception { return saslServer.evaluateResponse(responseBytes); } }); } catch (final UndeclaredThrowableException e) { throw new SaslException(String.format("Unexpected failure trying to authenticate using %s", saslServer.getMechanismName()), e.getCause()); } catch (final IOException | InterruptedException e) { if (e instanceof SaslException) { throw (SaslException) e; } else { throw new SaslException(String.format("Unexpected failure trying to authenticate using %s", saslServer.getMechanismName()), e); } } }
private static <S extends ServerConnection<S>, T extends EnumLite> void handleAuthFailure(final S connection, final ResponseSender sender, final Exception e, final T saslResponseType) throws RpcException { final String remoteAddress = connection.getRemoteAddress().toString(); logger.debug("Authentication using mechanism {} with encryption context {} failed from client {} due to {}", connection.getSaslServer().getMechanismName(), connection.getEncryptionCtxtString(), remoteAddress, e); // inform the client that authentication failed, and no more sender.send(new Response(saslResponseType, SASL_FAILED_MESSAGE)); // drop connection throw new RpcException(e); } }
mechanism = SaslMechanism.get(saslServer.getMechanismName()); } catch (Exception e) { log.error("Failed to process RPC with SASL mechanism {}", saslServer.getMechanismName()); throw e;
saslServer.getAuthorizationID(), saslServer.getMechanismName(), connection.getRemoteAddress().toString(), connection.getEncryptionCtxtString());