[
https://issues.apache.org/jira/browse/KAFKA-8860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Manikumar updated KAFKA-8860:
-----------------------------
Description:
This Jira is to track the issue reported by
[t...@teebee.de|mailto:t...@teebee.de] in PR
[#7140|https://github.com/apache/kafka/pull/7140]
PR [#6099|https://github.com/apache/kafka/pull/6099] tried to undo the
splitting of the {{ssl.principal.mapper.rules}}
[list|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaConfig.scala#L1054]
on [comma with
whitespace|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L78]
by [sophisticated
rejoining|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42]
of the split list using a comma as separator. However, since possibly
surrounding whitespace is not reconstructed this approach fails in general.
Consider the following test case:
{code:java}
@Test
public void testCommaWithWhitespace() throws Exception \{
String value = "RULE:^CN=((\\\\, *|\\w)+)(,.*|$)/$1/,DEFAULT";
@SuppressWarnings("unchecked")
List<String> rules = (List<String>)
ConfigDef.parseType("ssl.principal.mapper.rules", value, Type.LIST);
SslPrincipalMapper mapper = SslPrincipalMapper.fromRules(rules);
assertEquals("Tkac\\, Adam", mapper.getName("CN=Tkac\\,
Adam,OU=ITZ,DC=geodis,DC=cz"));
}
{code}
The space after the escaped comma is
[essential|https://sogo.nu/bugs/view.php?id=2152]. Unfortunately, it has
disappeared after splitting and rejoining.
Moreover, in
[{{joinSplitRules}}|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42]
the decision to rejoin list elements is based on local information only which
might not be sufficient. It works for
{quote}"RULE:^CN=([^,ADEFLTU,]+)(,.*|$)/$1/"{quote} but fails for the
_equivalent_ regular expression
{quote}RULE:^CN=([^,DEFAULT,]+)(,.*|$)/$1/"{quote}
The approach of the current PR is to change the type of the
{{ssl.principal.mapper.rules}} attribute from
[LIST|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781]
to
[STRING|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781]
and to delegate the splitting of the rules to the
[SslPrincipalMapper|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java].
It knows about the structure of the rules and can perform the splitting
context-based.
was:
This Jira is to track the issue reported by
[t...@teebee.de|mailto:t...@teebee.de] in PR
[#7140|https://github.com/apache/kafka/pull/7140]
PR [#6099|https://github.com/apache/kafka/pull/6099] tried to undo the
splitting of the {{ssl.principal.mapper.rules}}
[list|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaConfig.scala#L1054]
on [comma with
whitespace|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L78]
by [sophisticated
rejoining|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42]
of the split list using a comma as separator. However, since possibly
surrounding whitespace is not reconstructed this approach fails in general.
Consider the following test case:
{code:java}
@Test
public void testCommaWithWhitespace() throws Exception \{
String value = "RULE:^CN=((\\\\, *|\\w)+)(,.*|$)/$1/,DEFAULT";
@SuppressWarnings("unchecked")
List<String> rules = (List<String>)
ConfigDef.parseType("ssl.principal.mapper.rules", value, Type.LIST);
SslPrincipalMapper mapper = SslPrincipalMapper.fromRules(rules);
assertEquals("Tkac\\, Adam", mapper.getName("CN=Tkac\\,
Adam,OU=ITZ,DC=geodis,DC=cz"));
}
{code}
The space after the escaped comma is
[essential|https://sogo.nu/bugs/view.php?id=2152]. Unfortunately, it has
disappeared after splitting and rejoining.
Moreover, in
[{{joinSplitRules}}|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42]
the decision to rejoin list elements is based on local information only which
might not be sufficient. It works for
{{"RULE:^CN=([^,ADEFLTU,]+)(,.*|$)/$1/"*+}} *but fails for the _equivalent_
regular expression {{"RULE:^CN=([^,DEFAULT,])(,.}}*{{|$)/$1/"}}.
The approach of the current PR is to change the type of the
{{ssl.principal.mapper.rules}} attribute from
[LIST|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781]
to
[STRING|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781]
and to delegate the splitting of the rules to the
[SslPrincipalMapper|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java].
It knows about the structure of the rules and can perform the splitting
context-based.
> SslPrincipalMapper should handle distinguished names with spaces
> ----------------------------------------------------------------
>
> Key: KAFKA-8860
> URL: https://issues.apache.org/jira/browse/KAFKA-8860
> Project: Kafka
> Issue Type: Bug
> Reporter: Manikumar
> Priority: Major
>
> This Jira is to track the issue reported by
> [t...@teebee.de|mailto:t...@teebee.de] in PR
> [#7140|https://github.com/apache/kafka/pull/7140]
> PR [#6099|https://github.com/apache/kafka/pull/6099] tried to undo the
> splitting of the {{ssl.principal.mapper.rules}}
> [list|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaConfig.scala#L1054]
> on [comma with
> whitespace|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L78]
> by [sophisticated
> rejoining|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42]
> of the split list using a comma as separator. However, since possibly
> surrounding whitespace is not reconstructed this approach fails in general.
> Consider the following test case:
> {code:java}
> @Test
> public void testCommaWithWhitespace() throws Exception \{
> String value = "RULE:^CN=((\\\\, *|\\w)+)(,.*|$)/$1/,DEFAULT";
> @SuppressWarnings("unchecked")
> List<String> rules = (List<String>)
> ConfigDef.parseType("ssl.principal.mapper.rules", value, Type.LIST);
> SslPrincipalMapper mapper = SslPrincipalMapper.fromRules(rules);
> assertEquals("Tkac\\, Adam", mapper.getName("CN=Tkac\\,
> Adam,OU=ITZ,DC=geodis,DC=cz"));
> }
> {code}
> The space after the escaped comma is
> [essential|https://sogo.nu/bugs/view.php?id=2152]. Unfortunately, it has
> disappeared after splitting and rejoining.
> Moreover, in
> [{{joinSplitRules}}|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42]
> the decision to rejoin list elements is based on local information only
> which might not be sufficient. It works for
> {quote}"RULE:^CN=([^,ADEFLTU,]+)(,.*|$)/$1/"{quote} but fails for the
> _equivalent_ regular expression
> {quote}RULE:^CN=([^,DEFAULT,]+)(,.*|$)/$1/"{quote}
> The approach of the current PR is to change the type of the
> {{ssl.principal.mapper.rules}} attribute from
> [LIST|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781]
> to
> [STRING|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781]
> and to delegate the splitting of the rules to the
> [SslPrincipalMapper|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java].
> It knows about the structure of the rules and can perform the splitting
> context-based.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
