[
https://issues.apache.org/jira/browse/KAFKA-7742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16725749#comment-16725749
]
ASF GitHub Bot commented on KAFKA-7742:
---------------------------------------
omkreddy closed pull request #6037: KAFKA-7742: Fixed removing hmac entry for a
token being removed from DelegationTokenCache
URL: https://github.com/apache/kafka/pull/6037
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/token/delegation/internals/DelegationTokenCache.java
b/clients/src/main/java/org/apache/kafka/common/security/token/delegation/internals/DelegationTokenCache.java
index a74781f0e13..9cc913f5750 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/token/delegation/internals/DelegationTokenCache.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/token/delegation/internals/DelegationTokenCache.java
@@ -32,10 +32,15 @@
public class DelegationTokenCache {
private CredentialCache credentialCache = new CredentialCache();
+
//Cache to hold all the tokens
private Map<String, TokenInformation> tokenCache = new
ConcurrentHashMap<>();
+
//Cache to hold hmac->tokenId mapping. This is required for renew, expire
requests
- private Map<String, String> hmacIDCache = new ConcurrentHashMap<>();
+ private Map<String, String> hmacTokenIdCache = new ConcurrentHashMap<>();
+
+ //Cache to hold tokenId->hmac mapping. This is required for removing entry
from hmacTokenIdCache using tokenId.
+ private Map<String, String> tokenIdHmacCache = new ConcurrentHashMap<>();
public DelegationTokenCache(Collection<String> scramMechanisms) {
//Create caches for scramMechanisms
@@ -60,17 +65,21 @@ public void updateCache(DelegationToken token, Map<String,
ScramCredential> scra
//Update Scram Credentials
updateCredentials(tokenId, scramCredentialMap);
//Update hmac-id cache
- hmacIDCache.put(hmac, tokenId);
+ hmacTokenIdCache.put(hmac, tokenId);
+ tokenIdHmacCache.put(tokenId, hmac);
}
-
public void removeCache(String tokenId) {
removeToken(tokenId);
- updateCredentials(tokenId, new HashMap<String, ScramCredential>());
+ updateCredentials(tokenId, new HashMap<>());
+ }
+
+ public String tokenIdForHmac(String base64hmac) {
+ return hmacTokenIdCache.get(base64hmac);
}
public TokenInformation tokenForHmac(String base64hmac) {
- String tokenId = hmacIDCache.get(base64hmac);
+ String tokenId = hmacTokenIdCache.get(base64hmac);
return tokenId == null ? null : tokenCache.get(tokenId);
}
@@ -81,7 +90,10 @@ public TokenInformation addToken(String tokenId,
TokenInformation tokenInfo) {
public void removeToken(String tokenId) {
TokenInformation tokenInfo = tokenCache.remove(tokenId);
if (tokenInfo != null) {
- hmacIDCache.remove(tokenInfo.tokenId());
+ String hmac = tokenIdHmacCache.remove(tokenInfo.tokenId());
+ if (hmac != null) {
+ hmacTokenIdCache.remove(hmac);
+ }
}
}
diff --git
a/core/src/test/scala/unit/kafka/security/token/delegation/DelegationTokenManagerTest.scala
b/core/src/test/scala/unit/kafka/security/token/delegation/DelegationTokenManagerTest.scala
index b8d4376c54a..ed82f5ed446 100644
---
a/core/src/test/scala/unit/kafka/security/token/delegation/DelegationTokenManagerTest.scala
+++
b/core/src/test/scala/unit/kafka/security/token/delegation/DelegationTokenManagerTest.scala
@@ -19,7 +19,7 @@ package kafka.security.token.delegation
import java.net.InetAddress
import java.nio.ByteBuffer
-import java.util.Properties
+import java.util.{Base64, Properties}
import kafka.network.RequestChannel.Session
import kafka.security.auth.Acl.WildCardHost
@@ -189,6 +189,30 @@ class DelegationTokenManagerTest extends
ZooKeeperTestHarness {
assertEquals(time.milliseconds, expiryTimeStamp)
}
+ @Test
+ def testRemoveTokenHmac():Unit = {
+ val config = KafkaConfig.fromProps(props)
+ val tokenManager = createDelegationTokenManager(config, tokenCache, time,
zkClient)
+ tokenManager.startup
+
+ tokenManager.createToken(owner, renewer, -1 , createTokenResultCallBack)
+ val issueTime = time.milliseconds
+ val tokenId = createTokenResult.tokenId
+ val password = DelegationTokenManager.createHmac(tokenId, masterKey)
+ assertEquals(CreateTokenResult(issueTime, issueTime + renewTimeMsDefault,
issueTime + maxLifeTimeMsDefault, tokenId, password, Errors.NONE),
createTokenResult)
+
+ // expire the token immediately
+ tokenManager.expireToken(owner, ByteBuffer.wrap(password), -1,
renewResponseCallback)
+
+ val encodedHmac = Base64.getEncoder.encodeToString(password)
+ // check respective hmac map entry is removed for the expired tokenId.
+ val tokenInformation = tokenManager.tokenCache.tokenIdForHmac(encodedHmac)
+ assertNull(tokenInformation)
+
+ //check that the token is removed
+ assert(tokenManager.getToken(tokenId).isEmpty)
+ }
+
@Test
def testDescribeToken(): Unit = {
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> DelegationTokenCache#hmacIdCache entry is not cleared when a token is removed
> using removeToken(String tokenId) API.
> --------------------------------------------------------------------------------------------------------------------
>
> Key: KAFKA-7742
> URL: https://issues.apache.org/jira/browse/KAFKA-7742
> Project: Kafka
> Issue Type: Bug
> Components: security
> Reporter: Satish Duggana
> Assignee: Satish Duggana
> Priority: Major
> Fix For: 2.2.0
>
>
> DelegationTokenCache#hmacIdCache entry is not cleared when a token is removed
> using `removeToken(String tokenId)`[1] API.
> 1)
> https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/token/delegation/internals/DelegationTokenCache.java#L84
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
