[
https://issues.apache.org/jira/browse/ZOOKEEPER-2433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15301771#comment-15301771
]
Andy B edited comment on ZOOKEEPER-2433 at 5/26/16 5:07 PM:
------------------------------------------------------------
Hi, atm there isn't any test for the ZooKeeperSaslServer.
As noted
[here|http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/ClientServer.html]
single-component names (eg. user principals) are sometimes used.
The easiest manual test is to create a Kerberos principal without host component
{noformat}
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey kafka@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k
/etc/security/keytabs/{keytabname}.keytab kafka@{REALM}"
{noformat}
and use it to authenticate a Kafka broker.
One should see the logs below (log level DEBUG).
*With patch:*
{noformat}
INFO Accepted socket connection from /<ip-addr>:47570
DEBUG serviceHostname is 'null'
DEBUG servicePrincipalName is 'kafka'
DEBUG SASL mechanism(mech) is 'GSSAPI'
INFO Established session [...]
{noformat}
*Without patch:*
{noformat}
INFO Accepted socket connection from /<ip-addr>:47570
ERROR server principal name/hostname determination error:
java.lang.StringIndexOutOfBoundsException: String index out of range: -1
at java.lang.String.substring(String.java:1967)
ERROR failed to create saslServer object.
{noformat}
The error occurs
[here|https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/ZooKeeperSaslServer.java#L67]:
since the slash that separates service name from hostname cannot be found, the
substring method fails.
was (Author: andy_b):
Hi, atm there isn't any test for the ZooKeeperSaslServer.
As written
[here|http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/ClientServer.html]
single-component names (eg. user principals) can be used.
The easiest manual test is to create a Kerberos principal without host component
{noformat}
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey kafka@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k
/etc/security/keytabs/{keytabname}.keytab kafka@{REALM}"
{noformat}
and use it to authenticate a Kafka broker.
One should see the logs below (log level DEBUG).
*With patch:*
{noformat}
INFO Accepted socket connection from /<ip-addr>:47570
DEBUG serviceHostname is 'null'
DEBUG servicePrincipalName is 'kafka'
DEBUG SASL mechanism(mech) is 'GSSAPI'
INFO Established session [...]
{noformat}
*Without patch:*
{noformat}
INFO Accepted socket connection from /<ip-addr>:47570
ERROR server principal name/hostname determination error:
java.lang.StringIndexOutOfBoundsException: String index out of range: -1
at java.lang.String.substring(String.java:1967)
ERROR failed to create saslServer object.
{noformat}
The error occurs
[here|https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/ZooKeeperSaslServer.java#L67]:
since the slash that separates service name from hostname cannot be found, the
substring method fails.
> ZooKeeperSaslServer: allow user principals in subject
> -----------------------------------------------------
>
> Key: ZOOKEEPER-2433
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2433
> Project: ZooKeeper
> Issue Type: Wish
> Components: security
> Affects Versions: 3.5.1
> Reporter: Andy B
> Assignee: Andy B
> Labels: easyfix
> Fix For: 3.5.2
>
> Attachments: ZOOKEEPER-2433.patch
>
> Original Estimate: 5h
> Remaining Estimate: 5h
>
> The createSaslServer function in ZooKeeperSaslServer handles only service
> principal names (eg. service_name/machine_name@realm), though sometimes
> user/service principal names without host name (eg. service_name@realm) are
> used for authentication.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
