[
https://issues.apache.org/jira/browse/KAFKA-8860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Manikumar resolved KAFKA-8860.
------------------------------
Resolution: Fixed
Issue resolved by pull request 7140
[https://github.com/apache/kafka/pull/7140]
> SslPrincipalMapper should handle distinguished names with spaces
> ----------------------------------------------------------------
>
> Key: KAFKA-8860
> URL: https://issues.apache.org/jira/browse/KAFKA-8860
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 2.2.0
> Reporter: Manikumar
> Priority: Major
> Fix For: 2.4.0
>
>
> This Jira is to track the issue reported by
> [[email protected]|mailto:[email protected]] in PR
> [#7140|https://github.com/apache/kafka/pull/7140]
> PR [#6099|https://github.com/apache/kafka/pull/6099] tried to undo the
> splitting of the {{ssl.principal.mapper.rules}}
> [list|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaConfig.scala#L1054]
> on [comma with
> whitespace|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L78]
> by [sophisticated
> rejoining|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42]
> of the split list using a comma as separator. However, since possibly
> surrounding whitespace is not reconstructed this approach fails in general.
> Consider the following test case:
> {code:java}
> @Test
> public void testCommaWithWhitespace() throws Exception \{
> String value = "RULE:^CN=((\\\\, *|\\w)+)(,.*|$)/$1/,DEFAULT";
> @SuppressWarnings("unchecked")
> List<String> rules = (List<String>)
> ConfigDef.parseType("ssl.principal.mapper.rules", value, Type.LIST);
> SslPrincipalMapper mapper = SslPrincipalMapper.fromRules(rules);
> assertEquals("Tkac\\, Adam", mapper.getName("CN=Tkac\\,
> Adam,OU=ITZ,DC=geodis,DC=cz"));
> }
> {code}
> The space after the escaped comma is
> [essential|https://sogo.nu/bugs/view.php?id=2152]. Unfortunately, it has
> disappeared after splitting and rejoining.
> Moreover, in
> [{{joinSplitRules}}|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42]
> the decision to rejoin list elements is based on local information only
> which might not be sufficient. It works for
> {quote}"RULE:^CN=([^,ADEFLTU,]+)(,.*|$)/$1/"{quote} but fails for the
> _equivalent_ regular expression
> {quote}RULE:^CN=([^,DEFAULT,]+)(,.*|$)/$1/"{quote}
> The approach of the current PR is to change the type of the
> {{ssl.principal.mapper.rules}} attribute from
> [LIST|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781]
> to
> [STRING|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781]
> and to delegate the splitting of the rules to the
> [SslPrincipalMapper|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java].
> It knows about the structure of the rules and can perform the splitting
> context-based.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
