This is an automated email from the ASF dual-hosted git repository.
chia7712 pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/trunk by this push:
new b8fc96272e7 KAFKA-18627 Deprecated
"org.apache.kafka.disallowed.login.modules" (#18683)
b8fc96272e7 is described below
commit b8fc96272e746c4d180ad278a86a565dccefc8f7
Author: Xuan-Zhang Gong <[email protected]>
AuthorDate: Wed Jun 18 23:05:30 2025 +0800
KAFKA-18627 Deprecated "org.apache.kafka.disallowed.login.modules" (#18683)
Fix https://issues.apache.org/jira/browse/KAFKA-18627 and update same
test case
[KIP-link](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=340037077)
⚠️ This PR cannot be merged at the moment because KIPs for version 4.1
are already frozen. It will need to wait for version 4.2.
update upgrade.html
add configuration doc
Reviewers: TaiJuWu <[email protected]>, Ken Huang <[email protected]>,
Luke Chen <[email protected]>, Chia-Ping Tsai <[email protected]>
---
.../apache/kafka/common/security/JaasContext.java | 35 ++++++++++++++++----
.../apache/kafka/common/security/JaasUtils.java | 3 ++
.../kafka/common/security/JaasContextTest.java | 37 +++++++++++++++++++++-
docs/configuration.html | 18 +++++++++--
docs/upgrade.html | 14 +++++++-
5 files changed, 96 insertions(+), 11 deletions(-)
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/JaasContext.java
b/clients/src/main/java/org/apache/kafka/common/security/JaasContext.java
index 029b6881fdb..865762c5c36 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/JaasContext.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/JaasContext.java
@@ -33,6 +33,7 @@ import java.util.stream.Collectors;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
+import static
org.apache.kafka.common.security.JaasUtils.ALLOWED_LOGIN_MODULES_CONFIG;
import static
org.apache.kafka.common.security.JaasUtils.DISALLOWED_LOGIN_MODULES_CONFIG;
import static
org.apache.kafka.common.security.JaasUtils.DISALLOWED_LOGIN_MODULES_DEFAULT;
@@ -103,15 +104,37 @@ public class JaasContext {
return defaultContext(contextType, listenerContextName,
globalContextName);
}
- private static void throwIfLoginModuleIsNotAllowed(AppConfigurationEntry
appConfigurationEntry) {
- Set<String> disallowedLoginModuleList = Arrays.stream(
- System.getProperty(DISALLOWED_LOGIN_MODULES_CONFIG,
DISALLOWED_LOGIN_MODULES_DEFAULT).split(","))
+ @SuppressWarnings("deprecation")
+ // Visible for testing
+ static void throwIfLoginModuleIsNotAllowed(AppConfigurationEntry
appConfigurationEntry) {
+ String disallowedProperty =
System.getProperty(DISALLOWED_LOGIN_MODULES_CONFIG);
+ if (disallowedProperty != null) {
+ LOG.warn("System property '{}' is deprecated and will be removed
in a future release. Use '{}' instead.",
+ DISALLOWED_LOGIN_MODULES_CONFIG,
ALLOWED_LOGIN_MODULES_CONFIG);
+ }
+ String loginModuleName =
appConfigurationEntry.getLoginModuleName().trim();
+ String allowedProperty =
System.getProperty(ALLOWED_LOGIN_MODULES_CONFIG);
+ if (allowedProperty != null) {
+ Set<String> allowedLoginModuleList =
Arrays.stream(allowedProperty.split(","))
+ .map(String::trim)
+ .collect(Collectors.toSet());
+ if (!allowedLoginModuleList.contains(loginModuleName)) {
+ throw new IllegalArgumentException(loginModuleName + " is not
allowed. Update System property '"
+ + ALLOWED_LOGIN_MODULES_CONFIG + "' to allow " +
loginModuleName);
+ }
+ return;
+ }
+ if (disallowedProperty == null) {
+ disallowedProperty = DISALLOWED_LOGIN_MODULES_DEFAULT;
+ }
+ Set<String> disallowedLoginModuleList =
Arrays.stream(disallowedProperty.split(","))
.map(String::trim)
.collect(Collectors.toSet());
- String loginModuleName =
appConfigurationEntry.getLoginModuleName().trim();
if (disallowedLoginModuleList.contains(loginModuleName)) {
- throw new IllegalArgumentException(loginModuleName + " is not
allowed. Update System property '"
- + DISALLOWED_LOGIN_MODULES_CONFIG + "' to allow " +
loginModuleName);
+ throw new IllegalArgumentException(loginModuleName + " is not
allowed. "
+ + "The system property '" + DISALLOWED_LOGIN_MODULES_CONFIG +
"' is deprecated. "
+ + "Use the " + ALLOWED_LOGIN_MODULES_CONFIG + " to allow this
module. e.g.,"
+ + "-D" + ALLOWED_LOGIN_MODULES_CONFIG + "=" + loginModuleName);
}
}
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
b/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
index cfbca0c6d61..16c25d06c1a 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
@@ -18,7 +18,10 @@ package org.apache.kafka.common.security;
public final class JaasUtils {
public static final String JAVA_LOGIN_CONFIG_PARAM =
"java.security.auth.login.config";
+ @Deprecated(since = "4.2")
public static final String DISALLOWED_LOGIN_MODULES_CONFIG =
"org.apache.kafka.disallowed.login.modules";
+ public static final String ALLOWED_LOGIN_MODULES_CONFIG =
"org.apache.kafka.allowed.login.modules";
+ @Deprecated(since = "4.2")
public static final String DISALLOWED_LOGIN_MODULES_DEFAULT =
"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule";
public static final String SERVICE_NAME = "serviceName";
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
b/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
index 59b08fc1476..760b1afc41f 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
@@ -39,10 +39,12 @@ import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import javax.security.auth.login.Configuration;
+import static
org.apache.kafka.common.security.JaasContext.throwIfLoginModuleIsNotAllowed;
import static
org.apache.kafka.common.security.JaasUtils.DISALLOWED_LOGIN_MODULES_CONFIG;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.fail;
/**
@@ -224,7 +226,7 @@ public class JaasContextTest {
"SOME-MECHANISM", Collections.emptyMap()));
- //Remove default value for org.apache.kafka.disallowed.login.modules
+ // clear disallowed login modules
System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, "");
checkConfiguration("com.sun.security.auth.module.JndiLoginModule",
LoginModuleControlFlag.REQUIRED, new HashMap<>());
@@ -252,6 +254,39 @@ public class JaasContextTest {
checkEntry(context.configurationEntries().get(0),
"com.sun.security.auth.module.LdapLoginModule",
LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
}
+
+ @Test
+ void testAllowedLoginModulesSystemProperty() {
+ AppConfigurationEntry ldap = new AppConfigurationEntry(
+ "com.ibm.security.auth.module.LdapLoginModule",
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ Map.of()
+ );
+ AppConfigurationEntry jndi = new AppConfigurationEntry(
+ "com.sun.security.auth.module.JndiLoginModule",
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ Map.of()
+ );
+ // default
+ throwIfLoginModuleIsNotAllowed(ldap);
+
+ // set allowed list, but not set disallowed list
+ System.setProperty(JaasUtils.ALLOWED_LOGIN_MODULES_CONFIG,
"com.ibm.security.auth.module.LdapLoginModule");
+ throwIfLoginModuleIsNotAllowed(ldap);
+ assertThrows(IllegalArgumentException.class, () ->
throwIfLoginModuleIsNotAllowed(jndi));
+
+ // set both allowed list and disallowed list
+ System.setProperty(JaasUtils.DISALLOWED_LOGIN_MODULES_CONFIG,
"com.ibm.security.auth.module.LdapLoginModule");
+ throwIfLoginModuleIsNotAllowed(ldap);
+ assertThrows(IllegalArgumentException.class, () ->
throwIfLoginModuleIsNotAllowed(jndi));
+
+ // set disallowed list, but not set allowed list
+ System.clearProperty(JaasUtils.ALLOWED_LOGIN_MODULES_CONFIG);
+ IllegalArgumentException error =
assertThrows(IllegalArgumentException.class, () ->
throwIfLoginModuleIsNotAllowed(ldap));
+ // Ensure the exception message includes the deprecation warning for
the disallowed login modules config
+ assertTrue(error.getMessage().contains("The system property '" +
DISALLOWED_LOGIN_MODULES_CONFIG + "' is deprecated."));
+ throwIfLoginModuleIsNotAllowed(jndi);
+ }
@Test
public void testNumericOptionWithQuotes() throws Exception {
diff --git a/docs/configuration.html b/docs/configuration.html
index f6dcde9a106..f69df943e1a 100644
--- a/docs/configuration.html
+++ b/docs/configuration.html
@@ -276,14 +276,26 @@
</li>
<li>
<h4><a id="org.apache.kafka.disallowed.login.modules"></a><a
id="systemproperties_org.apache.kafka.disallowed.login.modules"
href="#systemproperties_org.apache.kafka.disallowed.login.modules">org.apache.kafka.disallowed.login.modules</a></h4>
- <p>This system property is used to disable the problematic login modules
usage in SASL JAAS configuration. This property accepts comma-separated list of
loginModule names. By default
<b>com.sun.security.auth.module.JndiLoginModule</b> loginModule is disabled.
- <p>If users want to enable JndiLoginModule, users need to explicitly
reset the system property like below. We advise the users to validate
configurations and only allow trusted JNDI configurations. For more details <a
href="https://kafka.apache.org/cve-list#CVE-2023-25194";>CVE-2023-25194</a>.
+ <p>This system property is used to disable the problematic login modules
usage in SASL JAAS configuration. This property accepts comma-separated list of
loginModule names. By default
<b>com.sun.security.auth.module.JndiLoginModule</b> and
<b>com.sun.security.auth.module.LdapLoginModule</b> loginModule is disabled.
+ <p>If users want to enable JndiLoginModule or LdapLoginModule, users
need to explicitly reset the system property like below. We advise the users to
validate configurations and only allow trusted JNDI configurations. For more
details <a
href="https://kafka.apache.org/cve-list#CVE-2023-25194";>CVE-2023-25194</a>.
<p><pre><code
class="language-bash">-Dorg.apache.kafka.disallowed.login.modules=</code></pre>
<p>To disable more loginModules, update the system property with
comma-separated loginModule names. Make sure to explicitly add
<b>JndiLoginModule</b> module name to the comma-separated list like below.
<p><pre><code
class="language-bash">-Dorg.apache.kafka.disallowed.login.modules=com.sun.security.auth.module.JndiLoginModule,com.ibm.security.auth.module.LdapLoginModule,com.ibm.security.auth.module.Krb5LoginModule</code></pre>
+ <p>The configuration is deprecated and will be removed in a future
release. Please use <b>org.apache.kafka.allowed.login.modules</b> instead.
<table><tbody>
<tr><th>Since:</th><td>3.4.0</td></tr>
- <tr><th>Default
Value:</th><td>com.sun.security.auth.module.JndiLoginModule</td></tr>
+ <tr><th>Deprecated:</th><td>4.2.0</td></tr>
+ <tr><th>Default
Value:</th><td>com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule</td></tr>
+ </tbody></table>
+ </li>
+ <li>
+ <h4><a id="org.apache.kafka.allowed.login.modules"></a><a
id="systemproperties_org.apache.kafka.allowed.login.modules"
href="#systemproperties_org.apache.kafka.allowed.login.modules">org.apache.kafka.allowed.login.modules</a></h4>
+ <p>This system property is used to explicitly allow specific login
modules in SASL JAAS configuration. It accepts a comma-separated list of login
module class names. This property provides a stricter, allowed-list-based
alternative to the deprecated
<code>org.apache.kafka.disallowed.login.modules</code> property.
+ It is recommended to use this property to improve the security of JAAS
configurations.
+ <p>If both properties are set,
<code>org.apache.kafka.allowed.login.modules</code> takes precedence.</p>
+ <table><tbody>
+ <tr><th>Since:</th><td>4.2.0</td></tr>
+ <tr><th>Default Value:</th></tr>
</tbody></table>
</li>
<li>
diff --git a/docs/upgrade.html b/docs/upgrade.html
index 1be3a20faa7..8194267e82f 100644
--- a/docs/upgrade.html
+++ b/docs/upgrade.html
@@ -19,10 +19,22 @@
<script id="upgrade-template" type="text/x-handlebars-template">
+<h4><a id="upgrade_4_2_0" href="#upgrade_4_2_0">Upgrading to 4.2.0</a></h4>
+
+<h5><a id="upgrade_4_2_0_from" href="#upgrade_4_2_0_from">Upgrading Servers to
4.2.0 from any version 3.3.x through 4.1.x</a></h5>
+
+<h5><a id="upgrade_420_notable" href="#upgrade_420_notable">Notable changes in
4.2.0</a></h5>
+<ul>
+ <li>The <code>org.apache.kafka.disallowed.login.modules</code> config was
deprecated. Please use the <code>org.apache.kafka.allowed.login.modules</code>
+ instead.
+ </li>
+</ul>
+
+
<h4><a id="upgrade_4_1_0" href="#upgrade_4_1_0">Upgrading to 4.1.0</a></h4>
<h5><a id="upgrade_4_1_0" href="#upgrade_4_1_0">Upgrading Servers to 4.1.0
from any version 3.3.x through 4.0.x</a></h5>
- <h6><a id="upgrade_410_notable" href="#upgrade_410_notable">Notable
changes in 4.1.0</a></h6>
+ <h5><a id="upgrade_410_notable" href="#upgrade_410_notable">Notable
changes in 4.1.0</a></h5>
<ul>
<li>
Apache Kafka 4.1 ships with a preview of Queues for Kafka (<a
href="https://cwiki.apache.org/confluence/x/4hA0Dw";>KIP-932</a>). This feature
introduces a new kind of group called
