zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andy B (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (ZOOKEEPER-2433) ZooKeeperSaslServer: allow user principals in subject
Date Thu, 02 Jun 2016 08:47:59 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15301771#comment-15301771
] 

Andy B edited comment on ZOOKEEPER-2433 at 6/2/16 8:47 AM:
-----------------------------------------------------------

Hi, atm there isn't any test for the ZooKeeperSaslServer. 

As noted [here|http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/ClientServer.html]
single-component names (eg. user principals) are sometimes used.

The easiest manual test is to create a Kerberos principal without host component

{noformat}
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey kafka@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{keytabname}.keytab kafka@{REALM}"
{noformat}

and use it to authenticate a Kafka broker.

One should see the logs below (log level DEBUG).

*With patch:*
{noformat}
  INFO Accepted socket connection from /<ip-addr>:47570
  DEBUG serviceHostname is 'null'
  DEBUG servicePrincipalName is 'kafka'
  DEBUG SASL mechanism(mech) is 'GSSAPI'
  INFO Established session [...]
{noformat}

*Without patch:*
{noformat}
  INFO Accepted socket connection from /<ip-addr>:47570
  ERROR server principal name/hostname determination error:
        java.lang.StringIndexOutOfBoundsException: String index out of range: -1
        at java.lang.String.substring(String.java:1967)
  ERROR failed to create saslServer object.
{noformat}

The error occurs [here|https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/ZooKeeperSaslServer.java#L67]:
since the slash that separates service name from hostname cannot be found, the substring method
fails.



was (Author: andy_b):
Hi, atm there isn't any test for the ZooKeeperSaslServer. 

As noted [here|http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/ClientServer.html]
single-component names (eg. user principals) are sometimes used.

The easiest manual test is to create a Kerberos principal without host component

{noformat}
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey kafka@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{keytabname}.keytab kafka@{REALM}"
{noformat}

and use it to authenticate a Kafka broker.

One should see the logs below (log level DEBUG).

*With patch:*
{noformat}
  INFO Accepted socket connection from /<ip-addr>:47570
  DEBUG serviceHostname is 'null'
  DEBUG servicePrincipalName is 'kafka'
  DEBUG SASL mechanism(mech) is 'GSSAPI'
  INFO Established session [...]
{noformat}

*Without patch:*
{noformat}
  INFO Accepted socket connection from /<ip-addr>:47570
  ERROR server principal name/hostname determination error:
        java.lang.StringIndexOutOfBoundsException: String index out of range: -1
        at java.lang.String.substring(String.java:1967)
  {color:red}ERROR failed to create saslServer object.{color}
{noformat}

The error occurs [here|https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/ZooKeeperSaslServer.java#L67]:
since the slash that separates service name from hostname cannot be found, the substring method
fails.


> ZooKeeperSaslServer: allow user principals in subject
> -----------------------------------------------------
>
>                 Key: ZOOKEEPER-2433
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2433
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.5.1
>            Reporter: Andy B
>            Assignee: Andy B
>              Labels: easyfix
>             Fix For: 3.5.2, 3.6.0
>
>         Attachments: ZOOKEEPER-2433.patch
>
>   Original Estimate: 5h
>  Remaining Estimate: 5h
>
> The _createSaslServer_ function in ZooKeeperSaslServer +handles only service principal
names+ (eg. *service_name/{color:blue}machine_name{color}@realm*), though sometimes user/service
principal names +without host name+ (eg. *service_name@realm*) are used for authentication.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message