kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-4454) Authorizer should also include the Principal generated by the PrincipalBuilder.
Date Sun, 25 Feb 2018 21:18:00 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-4454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16376244#comment-16376244
] 

ASF GitHub Bot commented on KAFKA-4454:
---------------------------------------

hachikuji closed pull request #2206: KAFKA-4454 : Authorizer should also include the Principal
generated by the PrincipalBuilder.
URL: https://github.com/apache/kafka/pull/2206
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java
b/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java
index 06c59d1c083..487c09e9e34 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipal.java
@@ -25,13 +25,19 @@
 
     private String principalType;
     private String name;
+    private Principal channelPrincipal;
 
     public KafkaPrincipal(String principalType, String name) {
+        this(principalType, name, null);
+    }
+
+    public KafkaPrincipal(String principalType, String name, Principal channelPrincipal)
{
         if (principalType == null || name == null) {
             throw new IllegalArgumentException("principalType and name can not be null");
         }
         this.principalType = principalType;
         this.name = name;
+        this.channelPrincipal = channelPrincipal;
     }
 
     public static KafkaPrincipal fromString(String str) {
@@ -77,9 +83,23 @@ public String getName() {
         return name;
     }
 
+    /**
+     * Return the type of Principal.
+     *
+     * @return  principal type
+     */
     public String getPrincipalType() {
         return principalType;
     }
+
+    /**
+     * Return the Principal generated by PrincipalBuilder.
+     *
+     * @return  {@link java.security.Principal}, else null otherwise
+     */
+    public Principal getChannelPrincipal() {
+        return this.channelPrincipal;
+    }
 }
 
 
diff --git a/core/src/main/scala/kafka/network/SocketServer.scala b/core/src/main/scala/kafka/network/SocketServer.scala
index e98445f383d..781179fb76f 100644
--- a/core/src/main/scala/kafka/network/SocketServer.scala
+++ b/core/src/main/scala/kafka/network/SocketServer.scala
@@ -492,7 +492,7 @@ private[kafka] class Processor(val id: Int,
         val session = {
           // Only methods that are safe to call on a disconnected channel should be invoked
on 'channel'.
           val channel = if (openChannel != null) openChannel else selector.closingChannel(receive.source)
-          RequestChannel.Session(new KafkaPrincipal(KafkaPrincipal.USER_TYPE, channel.principal.getName),
channel.socketAddress)
+          RequestChannel.Session(new KafkaPrincipal(KafkaPrincipal.USER_TYPE, channel.principal.getName,
channel.principal()), channel.socketAddress)
         }
         val req = RequestChannel.Request(processor = id, connectionId = receive.source, session
= session, buffer = receive.payload, startTimeMs = time.milliseconds, securityProtocol = protocol)
         requestChannel.sendRequest(req)


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Authorizer should also include the Principal generated by the PrincipalBuilder.
> -------------------------------------------------------------------------------
>
>                 Key: KAFKA-4454
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4454
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 0.10.0.1
>            Reporter: Mayuresh Gharat
>            Assignee: Mayuresh Gharat
>            Priority: Major
>
> Currently kafka allows users to plugin a custom PrincipalBuilder and a custom Authorizer.
> The Authorizer.authorize() object takes in a Session object that wraps KafkaPrincipal
and InetAddress.
> The KafkaPrincipal currently has a PrincipalType and Principal name, which is the name
of Principal generated by the PrincipalBuilder. 
> This Principal, generated by the pluggedin PrincipalBuilder might have other fields that
might be required by the pluggedin Authorizer but currently we loose this information since
we only extract the name of Principal while creating KaflkaPrincipal in SocketServer.  
> It would be great if KafkaPrincipal has an additional field "channelPrincipal" which
is used to store the Principal generated by the plugged in PrincipalBuilder.
> The pluggedin Authorizer can then use this "channelPrincipal" to do authorization.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message