kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Manikumar (Jira)" <j...@apache.org>
Subject [jira] [Resolved] (KAFKA-8860) SslPrincipalMapper should handle distinguished names with spaces
Date Mon, 02 Sep 2019 18:04:00 GMT

     [ https://issues.apache.org/jira/browse/KAFKA-8860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Manikumar resolved KAFKA-8860.
------------------------------
    Resolution: Fixed

Issue resolved by pull request 7140
[https://github.com/apache/kafka/pull/7140]

> SslPrincipalMapper should handle distinguished names with spaces
> ----------------------------------------------------------------
>
>                 Key: KAFKA-8860
>                 URL: https://issues.apache.org/jira/browse/KAFKA-8860
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 2.2.0
>            Reporter: Manikumar
>            Priority: Major
>             Fix For: 2.4.0
>
>
> This Jira is to track the issue reported by  [tb@teebee.de|mailto:tb@teebee.de] in
PR [#7140|https://github.com/apache/kafka/pull/7140] 
> PR [#6099|https://github.com/apache/kafka/pull/6099] tried to undo the splitting of
the {{ssl.principal.mapper.rules}} [list|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaConfig.scala#L1054] on [comma
with whitespace|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L78] by [sophisticated
rejoining|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42] of
the split list using a comma as separator. However, since possibly surrounding whitespace
is not reconstructed this approach fails in general. Consider the following test case:
> {code:java}
> @Test
> public void testCommaWithWhitespace() throws Exception \{
>     String value = "RULE:^CN=((\\\\, *|\\w)+)(,.*|$)/$1/,DEFAULT";
>     @SuppressWarnings("unchecked")
>     List<String> rules = (List<String>) ConfigDef.parseType("ssl.principal.mapper.rules",
value, Type.LIST);
>     SslPrincipalMapper mapper = SslPrincipalMapper.fromRules(rules);
>     assertEquals("Tkac\\, Adam", mapper.getName("CN=Tkac\\, Adam,OU=ITZ,DC=geodis,DC=cz"));
> }
> {code}
> The space after the escaped comma is [essential|https://sogo.nu/bugs/view.php?id=2152].
Unfortunately, it has disappeared after splitting and rejoining.
> Moreover, in [{{joinSplitRules}}|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42] the
decision to rejoin list elements is based on local information only which might not be sufficient.
It works for {quote}"RULE:^CN=([^,ADEFLTU,]+)(,.*|$)/$1/"{quote}  but fails for the _equivalent_ regular
expression {quote}RULE:^CN=([^,DEFAULT,]+)(,.*|$)/$1/"{quote}
> The approach of the current PR is to change the type of the {{ssl.principal.mapper.rules}} attribute
from [LIST|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781] to [STRING|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781] and
to delegate the splitting of the rules to the [SslPrincipalMapper|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java].
It knows about the structure of the rules and can perform the splitting context-based.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Mime
View raw message