-
Notifications
You must be signed in to change notification settings - Fork 15.1k
KAFKA-1686: Implement SASL/Kerberos. #191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
82737e5
a3417d7
8f718ce
aa92895
f178107
71b6fdb
9d260c6
5723dd2
8cf30d0
2596c4a
2919bc3
9ed1a26
2d2fcec
6a13667
32ab6f4
58064b4
dc05e07
9e6ba51
fc40c98
e80cad9
1d53bce
e637120
a3bd8d2
6dea484
d5768c8
37980d7
ae430be
190fe86
06353e4
ba29a43
592c52c
2fc9708
da60654
70d34b3
03f6c08
cd26542
1885fdb
3f26fd3
f12eefa
b889f5d
6015ab6
b121710
538b6eb
80949b4
7ce068c
0a1678e
a7cb82c
e94fe3e
1152125
86559f2
73614aa
cffc5e8
699da1a
47fee85
a2a7b88
cdb8b86
9f911dd
15cf778
b6f408a
356f2f7
b74a5d2
9464c7a
5f3009f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| /** | ||
| * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE | ||
| * file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file | ||
| * to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the | ||
| * License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on | ||
| * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the | ||
| * specific language governing permissions and limitations under the License. | ||
| */ | ||
|
|
||
| package org.apache.kafka.common.config; | ||
|
|
||
| import java.util.Collections; | ||
| import java.util.List; | ||
|
|
||
| public class SaslConfigs { | ||
| /* | ||
| * NOTE: DO NOT CHANGE EITHER CONFIG NAMES AS THESE ARE PART OF THE PUBLIC API AND CHANGE WILL BREAK USER CODE. | ||
| */ | ||
|
|
||
| public static final String SASL_KAFKA_SERVER_REALM = "sasl.kafka.server.realm"; | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @harshach, this is not actually used at the moment. Can you please point me to where it should be used and I can quickly address it? |
||
| public static final String SASL_KAFKA_SERVER_DOC = "The sasl kafka server realm. " | ||
| + "Default will be from kafka jaas config"; | ||
|
|
||
| public static final String SASL_KERBEROS_SERVICE_NAME = "sasl.kerberos.service.name"; | ||
| public static final String SASL_KERBEROS_SERVICE_NAME_DOC = "The Kerberos principal name that Kafka runs as. " | ||
| + "This can be defined either in the JAAS config or in the Kakfa config."; | ||
|
|
||
| public static final String SASL_KERBEROS_KINIT_CMD = "sasl.kerberos.kinit.cmd"; | ||
| public static final String SASL_KERBEROS_KINIT_CMD_DOC = "Kerberos kinit command path. " | ||
| + "Default will be /usr/bin/kinit"; | ||
| public static final String DEFAULT_KERBEROS_KINIT_CMD = "/usr/bin/kinit"; | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should we specify those through Kafka config file or just the jaas config file? It seems that the latter is more natural since it consolidates all SASL related stuff in one file?
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Jaas config special file in that it needs a different syntax like sections that we define. So it should only need to have login details like keytab files not kafka specific configs. |
||
|
|
||
| public static final String SASL_KERBEROS_TICKET_RENEW_WINDOW_FACTOR = "sasl.kerberos.ticket.renew.window.factor"; | ||
| public static final String SASL_KERBEROS_TICKET_RENEW_WINDOW_FACTOR_DOC = "LoginThread will sleep until specified window factor of time from last refresh" | ||
| + " to ticket's expiry has been reached, at which time it will wake and try to renew the ticket."; | ||
| public static final double DEFAULT_KERBEROS_TICKET_RENEW_WINDOW_FACTOR = 0.80; | ||
|
|
||
| public static final String SASL_KERBEROS_TICKET_RENEW_JITTER = "sasl.kerberos.ticket.renew.jitter"; | ||
| public static final String SASL_KERBEROS_TICKET_RENEW_JITTER_DOC = "Percentage of random jitter added to the renewal time"; | ||
| public static final double DEFAULT_KERBEROS_TICKET_RENEW_JITTER = 0.05; | ||
|
|
||
| public static final String SASL_KERBEROS_MIN_TIME_BEFORE_RELOGIN = "sasl.kerberos.min.time.before.relogin"; | ||
| public static final String SASL_KERBEROS_MIN_TIME_BEFORE_RELOGIN_DOC = "LoginThread sleep time between refresh attempts"; | ||
| public static final long DEFAULT_KERBEROS_MIN_TIME_BEFORE_RELOGIN = 1 * 60 * 1000L; | ||
|
|
||
| public static final String AUTH_TO_LOCAL = "kafka.security.auth.to.local"; | ||
| public static final String AUTH_TO_LOCAL_DOC = "Rules for the mapping between principal names and operating system user names"; | ||
| public static final List<String> DEFAULT_AUTH_TO_LOCAL = Collections.singletonList("DEFAULT"); | ||
|
|
||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| /** | ||
| * Licensed to the Apache Software Foundation (ASF) under one or more | ||
| * contributor license agreements. See the NOTICE file distributed with | ||
| * this work for additional information regarding copyright ownership. | ||
| * The ASF licenses this file to You under the Apache License, Version 2.0 | ||
| * (the "License"); you may not use this file except in compliance with | ||
| * the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.apache.kafka.common.network; | ||
|
|
||
| import org.apache.kafka.common.security.JaasUtils; | ||
|
|
||
| /** | ||
| * The type of the login context, it should be SERVER for the broker and CLIENT for the clients (i.e. consumer and | ||
| * producer). It provides the the login context name which defines the section of the JAAS configuration file to be used | ||
| * for login. | ||
| */ | ||
| public enum LoginType { | ||
| CLIENT(JaasUtils.LOGIN_CONTEXT_CLIENT), | ||
| SERVER(JaasUtils.LOGIN_CONTEXT_SERVER); | ||
|
|
||
| private final String contextName; | ||
|
|
||
| LoginType(String contextName) { | ||
| this.contextName = contextName; | ||
| } | ||
|
|
||
| public String contextName() { | ||
| return contextName; | ||
| } | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| /** | ||
| * Licensed to the Apache Software Foundation (ASF) under one or more | ||
| * contributor license agreements. See the NOTICE file distributed with | ||
| * this work for additional information regarding copyright ownership. | ||
| * The ASF licenses this file to You under the Apache License, Version 2.0 | ||
| * (the "License"); you may not use this file except in compliance with | ||
| * the License. You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.apache.kafka.common.network; | ||
|
|
||
| public enum Mode { CLIENT, SERVER }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a comment on why we need to exclude this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a comment explaining this in my latest PR.