[ https://issues.apache.org/jira/browse/KAFKA-8860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Manikumar updated KAFKA-8860: ----------------------------- Description: This Jira is to track the issue reported by [t...@teebee.de|mailto:t...@teebee.de] in PR [#7140|https://github.com/apache/kafka/pull/7140] PR [#6099|https://github.com/apache/kafka/pull/6099] tried to undo the splitting of the {{ssl.principal.mapper.rules}} [list|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaConfig.scala#L1054] on [comma with whitespace|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L78] by [sophisticated rejoining|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42] of the split list using a comma as separator. However, since possibly surrounding whitespace is not reconstructed this approach fails in general. Consider the following test case: {code:java} @Test public void testCommaWithWhitespace() throws Exception \{ String value = "RULE:^CN=((\\\\, *|\\w)+)(,.*|$)/$1/,DEFAULT"; @SuppressWarnings("unchecked") List<String> rules = (List<String>) ConfigDef.parseType("ssl.principal.mapper.rules", value, Type.LIST); SslPrincipalMapper mapper = SslPrincipalMapper.fromRules(rules); assertEquals("Tkac\\, Adam", mapper.getName("CN=Tkac\\, Adam,OU=ITZ,DC=geodis,DC=cz")); } {code} The space after the escaped comma is [essential|https://sogo.nu/bugs/view.php?id=2152]. Unfortunately, it has disappeared after splitting and rejoining. Moreover, in [{{joinSplitRules}}|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42] the decision to rejoin list elements is based on local information only which might not be sufficient. It works for {quote}"RULE:^CN=([^,ADEFLTU,]+)(,.*|$)/$1/"{quote} but fails for the _equivalent_ regular expression {quote}RULE:^CN=([^,DEFAULT,]+)(,.*|$)/$1/"{quote} The approach of the current PR is to change the type of the {{ssl.principal.mapper.rules}} attribute from [LIST|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781] to [STRING|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781] and to delegate the splitting of the rules to the [SslPrincipalMapper|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java]. It knows about the structure of the rules and can perform the splitting context-based. was: This Jira is to track the issue reported by [t...@teebee.de|mailto:t...@teebee.de] in PR [#7140|https://github.com/apache/kafka/pull/7140] PR [#6099|https://github.com/apache/kafka/pull/6099] tried to undo the splitting of the {{ssl.principal.mapper.rules}} [list|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaConfig.scala#L1054] on [comma with whitespace|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L78] by [sophisticated rejoining|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42] of the split list using a comma as separator. However, since possibly surrounding whitespace is not reconstructed this approach fails in general. Consider the following test case: {code:java} @Test public void testCommaWithWhitespace() throws Exception \{ String value = "RULE:^CN=((\\\\, *|\\w)+)(,.*|$)/$1/,DEFAULT"; @SuppressWarnings("unchecked") List<String> rules = (List<String>) ConfigDef.parseType("ssl.principal.mapper.rules", value, Type.LIST); SslPrincipalMapper mapper = SslPrincipalMapper.fromRules(rules); assertEquals("Tkac\\, Adam", mapper.getName("CN=Tkac\\, Adam,OU=ITZ,DC=geodis,DC=cz")); } {code} The space after the escaped comma is [essential|https://sogo.nu/bugs/view.php?id=2152]. Unfortunately, it has disappeared after splitting and rejoining. Moreover, in [{{joinSplitRules}}|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42] the decision to rejoin list elements is based on local information only which might not be sufficient. It works for {{"RULE:^CN=([^,ADEFLTU,]+)(,.*|$)/$1/"*+}} *but fails for the _equivalent_ regular expression {{"RULE:^CN=([^,DEFAULT,])(,.}}*{{|$)/$1/"}}. The approach of the current PR is to change the type of the {{ssl.principal.mapper.rules}} attribute from [LIST|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781] to [STRING|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781] and to delegate the splitting of the rules to the [SslPrincipalMapper|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java]. It knows about the structure of the rules and can perform the splitting context-based. > SslPrincipalMapper should handle distinguished names with spaces > ---------------------------------------------------------------- > > Key: KAFKA-8860 > URL: https://issues.apache.org/jira/browse/KAFKA-8860 > Project: Kafka > Issue Type: Bug > Reporter: Manikumar > Priority: Major > > This Jira is to track the issue reported by > [t...@teebee.de|mailto:t...@teebee.de] in PR > [#7140|https://github.com/apache/kafka/pull/7140] > PR [#6099|https://github.com/apache/kafka/pull/6099] tried to undo the > splitting of the {{ssl.principal.mapper.rules}} > [list|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaConfig.scala#L1054] > on [comma with > whitespace|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L78] > by [sophisticated > rejoining|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42] > of the split list using a comma as separator. However, since possibly > surrounding whitespace is not reconstructed this approach fails in general. > Consider the following test case: > {code:java} > @Test > public void testCommaWithWhitespace() throws Exception \{ > String value = "RULE:^CN=((\\\\, *|\\w)+)(,.*|$)/$1/,DEFAULT"; > @SuppressWarnings("unchecked") > List<String> rules = (List<String>) > ConfigDef.parseType("ssl.principal.mapper.rules", value, Type.LIST); > SslPrincipalMapper mapper = SslPrincipalMapper.fromRules(rules); > assertEquals("Tkac\\, Adam", mapper.getName("CN=Tkac\\, > Adam,OU=ITZ,DC=geodis,DC=cz")); > } > {code} > The space after the escaped comma is > [essential|https://sogo.nu/bugs/view.php?id=2152]. Unfortunately, it has > disappeared after splitting and rejoining. > Moreover, in > [{{joinSplitRules}}|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42] > the decision to rejoin list elements is based on local information only > which might not be sufficient. It works for > {quote}"RULE:^CN=([^,ADEFLTU,]+)(,.*|$)/$1/"{quote} but fails for the > _equivalent_ regular expression > {quote}RULE:^CN=([^,DEFAULT,]+)(,.*|$)/$1/"{quote} > The approach of the current PR is to change the type of the > {{ssl.principal.mapper.rules}} attribute from > [LIST|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781] > to > [STRING|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781] > and to delegate the splitting of the rules to the > [SslPrincipalMapper|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java]. > It knows about the structure of the rules and can perform the splitting > context-based. -- This message was sent by Atlassian Jira (v8.3.2#803003)