KAFKA-17921: Support SASL_PLAINTEXT protocol with java.security.auth.login.config#17671
KAFKA-17921: Support SASL_PLAINTEXT protocol with java.security.auth.login.config#17671chia7712 merged 3 commits intoapache:trunkfrom
Conversation
FrankYang0529
force-pushed
the
KAFKA-17921
branch
2 times, most recently
from
7490314 to
3d304c4
Compare
FrankYang0529
force-pushed
the
KAFKA-17921
branch
from
3d304c4 to
fd8f47b
Compare
FrankYang0529
force-pushed
the
KAFKA-17921
branch
2 times, most recently
from
535eedb to
ee1d321
Compare
FrankYang0529
force-pushed
the
KAFKA-17921
branch
2 times, most recently
from
c8ddc37 to
e205bb8
Compare
FrankYang0529
force-pushed
the
KAFKA-17921
branch
from
e205bb8 to
cefdcde
Compare
chia7712
left a comment
chia7712
left a comment
There was a problem hiding this comment.
@FrankYang0529 thanks for this patch
| import java.util.Map; | ||
| import java.util.stream.Collectors; | ||
|
|
||
| public class JaasModule { |
There was a problem hiding this comment.
Is this duplicate to core JaasModule?
There was a problem hiding this comment.
Yes, this is duplicated. Original JaasModule is in core module. I think we can remove original one after we migrate all sasl test case to new framework. WDYT?
| waitForAllFutures(futureEntries); | ||
| futureEntries.clear(); | ||
| Utils.delete(baseDirectory); | ||
| if (jaasFile.isPresent()) { |
There was a problem hiding this comment.
Could you please use ifPresent instead?
|
|
||
| import javax.security.auth.login.Configuration; | ||
|
|
||
| public class JaasTestUtils { |
There was a problem hiding this comment.
It is already in xxx.test package, maybe we can call it JaasUtils?
| public static final String KAFKA_PLAIN_ADMIN = "plain-admin"; | ||
| public static final String KAFKA_PLAIN_ADMIN_PASSWORD = "plain-admin-secret"; | ||
|
|
||
| public static File writeJaasContextsToFile(List<JaasSection> jaasSections) throws IOException { |
There was a problem hiding this comment.
Do we really need this object? How about using map? It is more simple
|
|
||
| private final Map<String, String> entries; | ||
|
|
||
| private JaasModule(String name, boolean debug, Map<String, String> entries) { |
There was a problem hiding this comment.
Could you please try to use record class?
| configs.put(SaslConfigs.SASL_JAAS_CONFIG, | ||
| String.format("org.apache.kafka.common.security.plain.PlainLoginModule required username=\"%s\" password=\"%s\";", | ||
| JaasTestUtils.KAFKA_PLAIN_USER1, JaasTestUtils.KAFKA_PLAIN_USER1_PASSWORD)); | ||
| try (Admin admin = clusterInstance.admin(configs)) { |
There was a problem hiding this comment.
Those helper should return authorized client object, right? Otherwise, developers have to configure them manually
FrankYang0529
force-pushed
the
KAFKA-17921
branch
2 times, most recently
from
7e4b4a6 to
c9ea0ad
Compare
chia7712
left a comment
chia7712
left a comment
There was a problem hiding this comment.
@FrankYang0529 thanks for this patch. two minor comments are left PTAL
| assertDoesNotThrow(() -> admin.describeAcls(AclBindingFilter.ANY).values().get()); | ||
| } | ||
| String topic = "sasl-plaintext-topic"; | ||
| Assertions.assertDoesNotThrow(() -> clusterInstance.createTopic(topic, 1, (short) 1)); |
There was a problem hiding this comment.
Since the APIs in question only throw runtime exceptions, there's no need to use assertDoesNotThrow, which is typically employed to convert checked exceptions into runtime exceptions.
| } | ||
|
|
||
| // client with non-admin credentials | ||
| Map<String, Object> nonAdminConfig = Map.of( |
There was a problem hiding this comment.
the helper methods of clusterInstance should be able configure the sasl.jaas.config automatically - that is why we add those helper to clusterInstance
There was a problem hiding this comment.
Hi @chia7712, thanks for the review. Yes, we already set default user to admin, consumer, and producer helper function automatically. Here, we would like to test developer overrides sasl.jaas.config with non-admin credentials. We also test overriding with unknown credential, so we can make sure the cluster instance with sasl plaintext works.
FrankYang0529
force-pushed
the
KAFKA-17921
branch
from
c9ea0ad to
dacb066
Compare
|
Hi @chia7712, thanks for the review. I addressed all comments. Could you review it when you have time? Thank you. |
chia7712
left a comment
chia7712
left a comment
There was a problem hiding this comment.
@FrankYang0529 thanks for this patch! it is great to see our new test infra has such support
| public static final String KAFKA_PLAIN_ADMIN = "plain-admin"; | ||
| public static final String KAFKA_PLAIN_ADMIN_PASSWORD = "plain-admin-secret"; | ||
|
|
||
| public static File writeJaasContextsToFile(Map<String, JaasSection> jaasSections) throws IOException { |
There was a problem hiding this comment.
It seems we don't use the key, so maybe we can change the collection from Map to Set?
| futureEntries.clear(); | ||
| Utils.delete(baseDirectory); | ||
| jaasFile.ifPresent(f -> { | ||
| try { |
There was a problem hiding this comment.
To enhance readability, we should explore alternatives to nested try-catch blocks, even if it involves using a more traditional coding style. for example: if (jaasFile.isPresent()) Utils.delete(jaasFile.get());
| @ClusterTest( | ||
| types = {Type.KRAFT, Type.CO_KRAFT}, | ||
| brokerSecurityProtocol = SecurityProtocol.SASL_PLAINTEXT, | ||
| controllerSecurityProtocol = SecurityProtocol.SASL_PLAINTEXT, |
There was a problem hiding this comment.
Do we support the SASL_PLAINTEXT on controller? If not, could you please remove this config and open a jira for it?
There was a problem hiding this comment.
Yes, we already support it in this PR. I update KafkaClusterTestKit.Builder#createNodeConfig to respect controllerSecurityProtocol setting.
…login.config Signed-off-by: PoAn Yang <payang@apache.org>
| // reduce log cleaner offset map memory usage | ||
| props.putIfAbsent(CleanerConfig.LOG_CLEANER_DEDUPE_BUFFER_SIZE_PROP, "2097152"); | ||
|
|
||
| if (brokerSecurityProtocol.equals(SecurityProtocol.SASL_PLAINTEXT.name)) { |
There was a problem hiding this comment.
it seems we set security for both controller and broker based on the brokerSecurityProtocol, right? if so, that is weird to me as we totally ignore controllerSecurityProtocol ...
Signed-off-by: PoAn Yang <payang@apache.org>
FrankYang0529
force-pushed
the
KAFKA-17921
branch
from
dacb066 to
9020816
Compare
Signed-off-by: PoAn Yang <payang@apache.org>
| ExecutionException.class, | ||
| () -> admin.describeAcls(AclBindingFilter.ANY, new DescribeAclsOptions().timeoutMs(5000)).values().get() | ||
| ); | ||
| assertInstanceOf(TimeoutException.class, exception.getCause()); |
There was a problem hiding this comment.
I open https://issues.apache.org/jira/browse/KAFKA-18440 to fix it. please feel free to take over the jira if you have free cycle
There was a problem hiding this comment.
Thanks for review. I will handle it.
|
The failed tests are unrelated and they pass on my local |
…ogin.config (#17671) Reviewers: Chia-Ping Tsai <chia7712@gmail.com>
…og-compaction-write-record-v2 * apache-github/trunk: (34 commits) MINOR: Bump year to 2025 in NOTICE file (apache#18427) KAFKA-18411 Remove ZkProducerIdManager (apache#18413) KAFKA-18408 tweak the 'tag' field for BrokerHeartbeatRequest.json, BrokerRegistrationChangeRecord.json and RegisterBrokerRecord.json (apache#18421) KAFKA-18414 Remove KRaftRegistrationResult (apache#18401) KAFKA-17921 Support SASL_PLAINTEXT protocol with java.security.auth.login.config (apache#17671) KAFKA-18384 Remove ZkAlterPartitionManager (apache#18364) KAFKA-10790: Add deadlock detection to producer#flush (apache#17946) KAFKA-18412: Remove EmbeddedZookeeper (apache#18399) MINOR : Improve Exception log in NotEnoughReplicasException(apache#12394) MINOR: Improve PlaintextAdminIntegrationTest#testConsumerGroups (apache#18409) MINOR: Remove unused local variable (apache#18410) MINOR: Remove RaftManager.maybeDeleteMetadataLogDir and AutoTopicCreationManagerTest.scala (apache#17365) KAFKA-18368 Remove TestUtils#MockZkConnect and remove zkConnect from TestUtils#createBrokerConfig (apache#18352) MINOR: Update Consumer group timeout default to 30 sec (apache#16406) MINOR: Fix typo in CommitRequestManager (apache#18407) MINOR: cleanup JavaDocs for deprecation warnings (apache#18402) KAFKA-18303; Update ShareCoordinator to use new record format (apache#18396) MINOR: Update Consumer and Producer JavaDocs for committing offsets (apache#18336) KAFKA-16446: Improve controller event duration logging (apache#15622) KAFKA-18388 test-kraft-server-start.sh should use log4j2.yaml (apache#18370) ...
…ogin.config (apache#17671) Reviewers: Chia-Ping Tsai <chia7712@gmail.com>
…ogin.config (apache#17671) Reviewers: Chia-Ping Tsai <chia7712@gmail.com>
2 participants
Support SASL_PLAINTEXT protocol in ClusterTest framework.
Committer Checklist (excluded from commit message)