[
https://issues.apache.org/jira/browse/KAFKA-2675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14973366#comment-14973366
]
Ismael Juma commented on KAFKA-2675:
------------------------------------
[~harsha_ch], I had a look at implementing SASL_KAFA_SERVER_REALM and it's
unclear how this is meant to be used. Let's use the ZooKeeper code (which is
quite similar to ours) as an example since it has the equivalent
`zookeeper.server.realm` property:
{code}
final KerberosName clientKerberosName = new
KerberosName(clientPrincipal.getName());
// assume that server and client are in the same realm (by
default; unless the system property
// "zookeeper.server.realm" is set).
String serverRealm =
System.getProperty("zookeeper.server.realm",clientKerberosName.getRealm());
KerberosName serviceKerberosName = new
KerberosName(servicePrincipal+"@"+serverRealm);
final String serviceName = serviceKerberosName.getServiceName();
final String serviceHostname =
serviceKerberosName.getHostName();
final String clientPrincipalName =
clientKerberosName.toString();
try {
saslClient = Subject.doAs(subject,new
PrivilegedExceptionAction<SaslClient>() {
public SaslClient run() throws SaslException {
LOG.info("Client will use GSSAPI as SASL
mechanism.");
String[] mechs = {"GSSAPI"};
LOG.debug("creating sasl client:
client="+clientPrincipalName+";service="+serviceName+";serviceHostname="+serviceHostname);
SaslClient saslClient =
Sasl.createSaslClient(mechs,clientPrincipalName,serviceName,serviceHostname,null,new
ClientCallbackHandler(null));
return saslClient;
}
});
return saslClient;
}
{code}
So, the server realm is used to create the `KerberosName`, but then it seems to
be ignored and only `getServiceName()` and `getHostName()` are used. It seems
to me that one could use any value for `serverRealm` and it would have no
effect on the parameters passed to `Sasl.createSaslClient`.
Am I missing something?
> SASL/Kerberos follow-up
> -----------------------
>
> Key: KAFKA-2675
> URL: https://issues.apache.org/jira/browse/KAFKA-2675
> Project: Kafka
> Issue Type: Sub-task
> Components: security
> Reporter: Ismael Juma
> Assignee: Ismael Juma
> Fix For: 0.9.0.0
>
>
> This is a follow-up to KAFKA-1686.
> 1. Decide on `serviceName` configuration: do we want to keep it in two places?
> 2. auth.to.local config name is a bit opaque, is there a better one?
> 3. Implement or remove SASL_KAFKA_SERVER_REALM config
> 4. Consider making Login's thread a daemon thread
> 5. Write test that shows authentication failure due to invalid user
> 6. Write test that shows authentication failure due to wrong password
> 7. Write test that shows authentication failure due ticket expiring
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
