KAFKA-18627:add allowed modules to JaasUtils #18683
Conversation
|
I cannot reproduce this issue locally. I suspect that the test case has added environment variables |
|
@chia7712 PTAL |
| List<String> jaasModules = new ArrayList<>(); | ||
| jaasModules.add(ALLOWED_LOGIN_MODULES_DEFAULT); | ||
| jaasModules.addAll(Arrays.asList(customJaas)); | ||
| System.setProperty(org.apache.kafka.common.security.JaasUtils.ALLOWED_LOGIN_MODULES_CONFIG, String.join(",", jaasModules)); |
| @@ -75,6 +76,7 @@ public void setup() throws Exception { | |||
| TestJaasConfig testJaasConfig = TestJaasConfig.createConfiguration("PLAIN", Collections.singletonList("PLAIN")); | |||
| testJaasConfig.setClientOptions("PLAIN", TestJaasConfig.USERNAME, "anotherpassword"); | |||
| server = createEchoServer(securityProtocol); | |||
| JaasUtils.allowDefaultJaasAndCustomJass(); | |||
There was a problem hiding this comment.
it does not add any other modules, so do we really need it?
There was a problem hiding this comment.
This test case reports an error. It may be that a change to the default configuration caused the jaas tested to be rejected.
So I add this line
| @@ -74,6 +75,7 @@ public void setup() throws Exception { | |||
| credentialCache = new CredentialCache(); | |||
| SaslAuthenticatorTest.TestLogin.loginCount.set(0); | |||
| startTimeMs = time.milliseconds(); | |||
| JaasUtils.allowDefaultJaasAndCustomJass(); | |||
| @@ -70,7 +70,6 @@ class SaslSslAdminIntegrationTest extends BaseAdminIntegrationTest with SaslSetu | |||
| this.serverConfig.setProperty(DelegationTokenManagerConfigs.DELEGATION_TOKEN_SECRET_KEY_CONFIG, secretKey) | |||
| this.serverConfig.setProperty(DelegationTokenManagerConfigs.DELEGATION_TOKEN_EXPIRY_TIME_MS_CONFIG, Long.MaxValue.toString) | |||
| this.serverConfig.setProperty(DelegationTokenManagerConfigs.DELEGATION_TOKEN_MAX_LIFETIME_CONFIG, Long.MaxValue.toString) | |||
|
|
|||
There was a problem hiding this comment.
please revert unrelated change
| @@ -46,7 +46,6 @@ abstract class SaslEndToEndAuthorizationTest extends EndToEndAuthorizationTest { | |||
| producerConfig.put(SaslConfigs.SASL_JAAS_CONFIG, clientLoginContext) | |||
| consumerConfig.put(SaslConfigs.SASL_JAAS_CONFIG, clientLoginContext) | |||
| adminClientConfig.put(SaslConfigs.SASL_JAAS_CONFIG, clientLoginContext) | |||
|
|
|||
|
@chia7712 PTAL |
| @@ -68,11 +70,13 @@ public void tearDown() throws Exception { | |||
|
|
|||
| @Test | |||
| public void testConfigNoOptions() throws Exception { | |||
| System.setProperty(ALLOWED_LOGIN_MODULES_CONFIG, "test.testConfigNoOptions"); | |||
There was a problem hiding this comment.
Adding this change means we break some compatibility ...
- print warning message if users define the
org.apache.kafka.disallowed.login.modules - adopt the
org.apache.kafka.allowed.login.modulesif it is existent - evaluate the modules according to
DISALLOWED_LOGIN_MODULES_DEFAULT
Additionally, we should open a jira for 5.0 to add ALLOWED_LOGIN_MODULES_DEFAULT
WDYT?
|
@chia7712 PTAL |
| private JaasUtils() {} | ||
| private JaasUtils() { | ||
| } |
There was a problem hiding this comment.
Please revert unrelated this change.
| @@ -16,13 +16,17 @@ | |||
| */ | |||
| package org.apache.kafka.common.security; | |||
|
|
|||
|
|
|||
| } | ||
| String loginModuleName = appConfigurationEntry.getLoginModuleName().trim(); | ||
| String allowedProperty = System.getProperty(ALLOWED_LOGIN_MODULES_CONFIG); | ||
| if (allowedProperty != null) { |
There was a problem hiding this comment.
Should we need to consider a case if a module in disallow and allow at same time?
Maybe it will happen in the meantime.
There was a problem hiding this comment.
The new logic is to prioritize "allow", right?
There was a problem hiding this comment.
@gongxuanzhang thanks for this patch. overall LGTM, and could you please add this change to upgrade.html?
Also ping @showuon @mumrah @mimaison - after merging this PR, we can file a ticket for 5.0 to remove disallowed list
|
@chia7712 PTAL |
Fix https://issues.apache.org/jira/browse/KAFKA-18627 and update same test case