Manikumar created KAFKA-8860:
--------------------------------
Summary: SslPrincipalMapper should handle distinguished names with
spaces
Key: KAFKA-8860
URL: https://issues.apache.org/jira/browse/KAFKA-8860
Project: Kafka
Issue Type: Bug
Reporter: Manikumar
This Jira is to track the issue reported by
[[email protected]|mailto:[email protected]] in PR
[#7140|https://github.com/apache/kafka/pull/7140]
PR [#6099|https://github.com/apache/kafka/pull/6099] tried to undo the
splitting of the {{ssl.principal.mapper.rules}}
[list|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaConfig.scala#L1054]
on [comma with
whitespace|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L78]
by [sophisticated
rejoining|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42]
of the split list using a comma as separator. However, since possibly
surrounding whitespace is not reconstructed this approach fails in general.
Consider the following test case:
{code:java}
@Test
public void testCommaWithWhitespace() throws Exception \{
String value = "RULE:^CN=((\\\\, *|\\w)+)(,.*|$)/$1/,DEFAULT";
@SuppressWarnings("unchecked")
List<String> rules = (List<String>)
ConfigDef.parseType("ssl.principal.mapper.rules", value, Type.LIST);
SslPrincipalMapper mapper = SslPrincipalMapper.fromRules(rules);
assertEquals("Tkac\\, Adam", mapper.getName("CN=Tkac\\,
Adam,OU=ITZ,DC=geodis,DC=cz"));
}
{code}
The space after the escaped comma is
[essential|https://sogo.nu/bugs/view.php?id=2152]. Unfortunately, it has
disappeared after splitting and rejoining.
Moreover, in
[{{joinSplitRules}}|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42]
the decision to rejoin list elements is based on local information only which
might not be sufficient. It works for
{{"RULE:^CN=([^,ADEFLTU,]+)(,.*|$)/$1/"*+}} *but fails for the _equivalent_
regular expression {{"RULE:^CN=([^,DEFAULT,])(,.}}*{{|$)/$1/"}}.
The approach of the current PR is to change the type of the
{{ssl.principal.mapper.rules}} attribute from
[LIST|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781]
to
[STRING|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781]
and to delegate the splitting of the rules to the
[SslPrincipalMapper|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java].
It knows about the structure of the rules and can perform the splitting
context-based.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
