kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject Re: Writing a customized principal builder for authorization
Date Wed, 30 Nov 2016 21:35:02 GMT
this is a quick and dirty test you can use:


org.apache.kafka.common.network.SSLSelectorTest:

//Truststore needs to contain keystore/cert that contains the actual principal you will use

       File trustStoreFile = File.createTempFile("truststore", ".jks");

        Map<String, Object> sslServerConfigs = org.apache.kafka.test.TestSslUtils.createSslConfig(false,
true, Mode.SERVER, trustStoreFile, "server");

//supply PrinicpalBuilder java class name to sslServer "principal.builder.class"
       sslServerConfigs.put(org.apache.kafka.common.config.SslConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG,
Class.forName(SslConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));

//default class is "org.apache.kafka.common.security.auth.DefaultPrincipalBuilder"

        try
        {
        this.server = new org.apache.kafka.common.network.EchoServer(sslServerConfigs);
   }
   catch(org.apache.kafka.common.KafkaException excp) { log.debug("SslSelectorTest::setup
LINE 55 new EchoServer throws KafkaException message="+excp.getMessage()); }
   try
   {
        this.server.start();
        this.time = new org.apache.kafka.common.utils.MockTime();

//create client SSLconfig
        Map<String, Object> sslClientConfigs sslClientConfigs = org.apache.kafka.test.TestSslUtils.createSslConfig(false,
false, Mode.SERVER, trustStoreFile, "client");

        this.channelBuilder = new org.apache.kafka.common.network.SslChannelBuilder(org.apache.kafka.common.network.Mode.CLIENT);

        this.channelBuilder.configure(sslClientConfigs);

        this.metrics = new org.apache.kafka.common.Metrics();

        this.selector = new org.apache.kafka.common.network.Selector(5000, metrics, time,
"MetricGroup", new LinkedHashMap<String, String>(), channelBuilder);
   }
   catch(NullPointerException npe) { log.debug("SslSelectorTest::setup LINE 67 throws NPE
message="+npe.getMessage()); }

//if group is not specified or  null throw NPE

/* display attributes to ascertain principal name

public void authorize(){
 System.out.println("\n" + "*** Credential Information ***");

 // get privateCredential Set
 // Obtaining user information
 javax.security.auth.Subject subject=new javaz.security.auth.Subject();

 Set credentials = subject.getPrivateCredentials();

 // display credential information

 Iterator iterator = credentials.iterator();

 while (iterator.hasNext()) {
 Object credential = iterator.next();

 // this credential identify login user
 if (credential instanceof ISAuthorizationCredential){
 ISAuthorizationCredential isCredential =
 (ISAuthorizationCredential) credential;

 System.out.println("AuthorizationCredential=" +
 isCredential.getEncryptedCredential());

 System.out.println("Dn=" + isCredential.getDN());
 System.out.println("Uid=" + isCredential.getUID());

//display roles:
 Set roles = isCredential.getRoles();

 if (roles != null) {
 Iterator ite = roles.iterator();

 while(ite.hasNext()){
 System.out.println("Role=" + ite.next());
 }
 }

 System.out.println("ClientAddress=" +
 isCredential.getClientAddress());

 System.out.println("AuthMethod=" +
 isCredential.getAuthMethod());

 System.out.println("AuthTime=" + isCredential.getAuthTime());

 System.out.println("Expiration=" +
 isCredential.getExpiration());
 }
 }

 System.out.println("\n" + "*** Principals Information ***");

 // display principal information
 // Obtaining user information

 Set principals = subject.getPrincipals();

 iterator = principals.iterator();

 while (iterator.hasNext()) {

 Principal principal = (Principal)iterator.next();

 System.out.println("Principal=" + principal.getName());
 }
 System.out.println("\n" + "*** Execute PrivilegedAction ***");

 // Privileged operation execute by the attested authority.
 // Executing authorization thru custom Java action to collect username/pwd
 PrivilegedAction myAction = new ISSsoAction();

 subject.doAs(subject, myAction);

} //end authorize
http://www.fujitsu.com/downloads/SFTWR/manual/fm_e/b23j37jh0/b1wn4881/01/b1wn488101enz2.pdf


/* IF you have to create a new URLConnection thru a proxy you can use something like
public class DelegateHttpsURLConnection extends com.sun.net.ssl.internal.www.protocol.https.DelegateHttpsURLConnection*/

DelegateHttpsURLConnection delegate = new DelegateHttpsURLConnection((java.net.URL)url,(java.net.Proxy)p,
(sun.net.www.protocol.https.Handler)handler,(sun.net.protocol.https.HttpsURLConnectionImpl)this
);

/*** Returns the principal with which the server authenticated itself or throw a SSLPeerUnverifiedException
if the server did not authenticate.*/

/* works as long as public interface Principal extends java.security.Principal */

Principal principal=delegate.getPeerCertificate()
if(principal!=null) log.debug("peer certificate name="+delegate.getPeerCertificate().getName());

//if peerPrincipal did not authenticate check Local Principal

if(delegate.getLocalPrincipal()!=null)
log.debug("principal name="+delegate.getLocalPrincipal().getName());

//throw Exception

..it really is that simple..
M-
________________________________
From: Mayuresh Gharat <gharatmayuresh15@gmail.com>
Sent: Wednesday, November 30, 2016 12:51 PM
To: users@kafka.apache.org
Subject: Re: Writing a customized principal builder for authorization

"principal.builder.class" is the name of the property.

Thanks,

Mayuresh

On Wed, Nov 30, 2016 at 9:30 AM, <gharatmayuresh15@gmail.com> wrote:

> Hi Kriti,
>
> You will have to implement the Principal Builder interface and provide the
> full class path in broker config. I don't remember the exact config name
> right now, but you can search for some config by name
> "principalbuilder.class" in the broker configs.
>
> Once you do this, Kafka will automatically use your custom
> PrincipalBuilder class for generating the principal.
>
> The buildPrincipal() function in the PrincipalBuilder is where you will
> have to create the your custom Principal class object ( This custom
> principal class should implement Java principal interface) and this custom
> principal.getname() can return whatever name you want.
>
> Let me know if this helps.
>
> Thanks,
>
> Mayuresh
>
>
>
> Sent from my iPhone
>
> > On Nov 29, 2016, at 11:40 PM, Kiriti Sai <kiriti163.iitm@gmail.com>
> wrote:
> >
> > Hi,
> > Can anyone help me or point me to any resources that can be of help for
> > writing a customized principal builder to use in Authorization using
> ACLs?
> > I've enabled SSL authentication scheme for both clients and brokers but I
> > would like to change the principal name to just the original name and
> > Organizational unit instead of the complete defiant principal name for
> SSL.
> >
> > Thanka in advance for the help.
>



--
-Regards,
Mayuresh R. Gharat
(862) 250-7125

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message