[
https://issues.apache.org/jira/browse/KAFKA-4544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16605944#comment-16605944
]
Attila Sasvari commented on KAFKA-4544:
---------------------------------------
[~omkreddy] thanks for the info, I extended the test case to better cover the
lifecycle of a delegation token based on your idea:
- Create delegation token
- Create a console-producer using SCRAM and delegation token and produce a
message
- Verify message is created (with kafka.search_data_files() )
- Create a console-consumer using SCRAM and delegation token and consume 1
message
- Expire the token, immediately
- Try producing one more message with the expired token
- Verify the last message is not persisted by the broker
Initially, I wanted to use console_consumer.py and verifiable clients to
validate things (messages produced / consumed), but I ran into some issues:
- jaas.conf / KafkaClient config cannot include more login modules
{code}
Multiple LoginModule-s in JAAS
Caused by: java.lang.IllegalArgumentException: JAAS config property contains 2
login modules, should be 1 module
at
org.apache.kafka.common.security.JaasContext.load(JaasContext.java:95)
at
org.apache.kafka.common.security.JaasContext.loadClientContext(JaasContext.java:84)
at
org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:119)
at
org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65)
at
org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88)
at
org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:419)
{code}
- To request a delegation token, we need GSSAPI (and use keytab), subsequently,
consumers and producers use the delegation token. So I ended up constructing
manually the jaas.config and client configs in my POC.
- With and even without my changes, JMX failed to start up when I tried to run
{{./ducker-ak test ../kafkatest/sanity_checks/test_console_consumer.py}}:
{code}
Exception in thread ConsoleConsumer-0-140287252789520-worker-1:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File
"/usr/local/lib/python2.7/dist-packages/ducktape/services/background_thread.py",
line 35, in _protected_worker
self._worker(idx, node)
File "/opt/kafka-dev/tests/kafkatest/services/console_consumer.py", line 229,
in _worker
self.start_jmx_tool(idx, node)
File "/opt/kafka-dev/tests/kafkatest/services/monitor/jmx.py", line 86, in
start_jmx_tool
wait_until(lambda: self._jmx_has_output(node), timeout_sec=10,
backoff_sec=.5, err_msg="%s: Jmx tool took too long to start" % node.account)
File "/usr/local/lib/python2.7/dist-packages/ducktape/utils/util.py", line
36, in wait_until
raise TimeoutError(err_msg)
TimeoutError: ducker@ducker04: Jmx tool took too long to start
{code}
Right now a lot of things are
[hardcoded|https://github.com/asasvari/kafka/commit/edfc37012079764d2a589dbf5f24ad04505975d4#diff-3e7b2bdbd55d075bcebbbe5ba8c4e269]
(using shell scripts) in my POC. It would be nice to extract common
functionalities and make them easily reusable (e.g. creating wrappers in
python, for example, to do delegation token handling).
> Add system tests for delegation token based authentication
> ----------------------------------------------------------
>
> Key: KAFKA-4544
> URL: https://issues.apache.org/jira/browse/KAFKA-4544
> Project: Kafka
> Issue Type: Sub-task
> Components: security
> Reporter: Ashish Singh
> Assignee: Attila Sasvari
> Priority: Major
>
> Add system tests for delegation token based authentication.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
