[GitHub] [kafka] omkreddy commented on a diff in pull request #13114: KAFKA-14084: SCRAM support in KRaft.
omkreddy commented on code in PR #13114: URL: https://github.com/apache/kafka/pull/13114#discussion_r1108339368 ## core/src/test/scala/unit/kafka/server/DescribeUserScramCredentialsRequestTest.scala: ## @@ -17,18 +17,22 @@ package kafka.server import java.util -import java.util.Properties +// import java.util.Properties Review Comment: can we remove unused import? ## core/src/test/scala/unit/kafka/server/AlterUserScramCredentialsRequestTest.scala: ## @@ -260,11 +271,13 @@ class AlterUserScramCredentialsRequestTest extends BaseRequestTest { .setSalt(saltBytes) .setSaltedPassword(saltedPasswordBytes), ))).build() -val results1 = sendAlterUserScramCredentialsRequest(request1).data.results -assertEquals(2, results1.size) -checkNoErrorsAlteringCredentials(results1) -checkUserAppearsInAlterResults(results1, user1) -checkUserAppearsInAlterResults(results1, user2) +val results1_1 = sendAlterUserScramCredentialsRequest(request1_1).data.results +assertEquals(2, results1_1.size) +checkNoErrorsAlteringCredentials(results1_1) +checkUserAppearsInAlterResults(results1_1, user1) +checkUserAppearsInAlterResults(results1_1, user2) + +Thread.sleep(1) Review Comment: Can we address this? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [kafka] omkreddy commented on a diff in pull request #13114: KAFKA-14084: SCRAM support in KRaft.
omkreddy commented on code in PR #13114: URL: https://github.com/apache/kafka/pull/13114#discussion_r1106755866 ## core/src/test/scala/unit/kafka/server/AlterUserScramCredentialsRequestTest.scala: ## @@ -260,11 +271,13 @@ class AlterUserScramCredentialsRequestTest extends BaseRequestTest { .setSalt(saltBytes) .setSaltedPassword(saltedPasswordBytes), ))).build() -val results1 = sendAlterUserScramCredentialsRequest(request1).data.results -assertEquals(2, results1.size) -checkNoErrorsAlteringCredentials(results1) -checkUserAppearsInAlterResults(results1, user1) -checkUserAppearsInAlterResults(results1, user2) +val results1_1 = sendAlterUserScramCredentialsRequest(request1_1).data.results +assertEquals(2, results1_1.size) +checkNoErrorsAlteringCredentials(results1_1) +checkUserAppearsInAlterResults(results1_1, user1) +checkUserAppearsInAlterResults(results1_1, user2) + +Thread.sleep(1) Review Comment: we generally use 'TestUtils.waitForCondition` in tests to wait for condition -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [kafka] omkreddy commented on a diff in pull request #13114: KAFKA-14084: SCRAM support in KRaft.
omkreddy commented on code in PR #13114: URL: https://github.com/apache/kafka/pull/13114#discussion_r1106751131 ## core/src/main/scala/kafka/server/KafkaApis.scala: ## @@ -3296,17 +3296,23 @@ class KafkaApis(val requestChannel: RequestChannel, } def handleDescribeUserScramCredentialsRequest(request: RequestChannel.Request): Unit = { Review Comment: As I mentioned above, ControllerAPI also should support DescribeUserScramCredentialsRequest API ## core/src/test/scala/unit/kafka/server/AlterUserScramCredentialsRequestTest.scala: ## @@ -260,11 +271,13 @@ class AlterUserScramCredentialsRequestTest extends BaseRequestTest { .setSalt(saltBytes) .setSaltedPassword(saltedPasswordBytes), ))).build() -val results1 = sendAlterUserScramCredentialsRequest(request1).data.results -assertEquals(2, results1.size) -checkNoErrorsAlteringCredentials(results1) -checkUserAppearsInAlterResults(results1, user1) -checkUserAppearsInAlterResults(results1, user2) +val results1_1 = sendAlterUserScramCredentialsRequest(request1_1).data.results +assertEquals(2, results1_1.size) +checkNoErrorsAlteringCredentials(results1_1) +checkUserAppearsInAlterResults(results1_1, user1) +checkUserAppearsInAlterResults(results1_1, user2) + +Thread.sleep(1) Review Comment: we generally use 'TestUtils.waitForCondition` in tests ## metadata/src/main/java/org/apache/kafka/image/ScramImage.java: ## @@ -50,6 +58,63 @@ public void write(ImageWriter writer, ImageWriterOptions options) { } } +public DescribeUserScramCredentialsResponseData describe(DescribeUserScramCredentialsRequestData request) { + +List users = request.users(); +Map uniqueUsers = new HashMap(); + +if ((users == null) || (users.size() == 0)) { +System.out.println("Describe : get all the users"); +// If there are no users listed then get all the users +for (Map scramCredentialDataSet : mechanisms.values()) { +for (String user : scramCredentialDataSet.keySet()) { +uniqueUsers.put(user, false); +} +} +} else { +// Filter out duplicates +for (UserName user : users) { +if (uniqueUsers.containsKey(user.name())) { +uniqueUsers.put(user.name(), true); +} else { +uniqueUsers.put(user.name(), false); +} +} +} + +DescribeUserScramCredentialsResponseData retval = new DescribeUserScramCredentialsResponseData(); + +for (Map.Entry user : uniqueUsers.entrySet()) { +DescribeUserScramCredentialsResult result = + new DescribeUserScramCredentialsResult().setUser(user.getKey()); + +if (user.getValue() == false) { +List credentialInfos = new ArrayList(); + +boolean datafound = false; +for (Map.Entry> mechanismsEntry : mechanisms.entrySet()) { +Map credentialDataSet = mechanismsEntry.getValue(); +if (credentialDataSet.containsKey(user.getKey())) { +credentialInfos.add(new CredentialInfo().setMechanism(mechanismsEntry.getKey().type()) + .setIterations(credentialDataSet.get(user.getKey()).iterations())); +datafound = true; +} +} +if (datafound) { +result.setCredentialInfos(credentialInfos); +} else { +result.setErrorCode(Errors.RESOURCE_NOT_FOUND.code()) + .setErrorMessage("attemptToDescribeUserThatDoesNotExist: " + user.getKey()); Review Comment: Can we use same error message as https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/ZkAdminManager.scala#L802 ## metadata/src/main/java/org/apache/kafka/image/ScramImage.java: ## @@ -50,6 +58,63 @@ public void write(ImageWriter writer, ImageWriterOptions options) { } } +public DescribeUserScramCredentialsResponseData describe(DescribeUserScramCredentialsRequestData request) { + +List users = request.users(); +Map uniqueUsers = new HashMap(); + +if ((users == null) || (users.size() == 0)) { +System.out.println("Describe : get all the users"); +// If there are no users listed then get all the users +for (Map scramCredentialDataSet : mechanisms.values()) { +for (String user : scramCredentialDataSet.keySet()) { +uniqueUsers.put(user, false); +} +} +} else { +// Filter out duplicates +for (UserName user : users) { +
[GitHub] [kafka] omkreddy commented on a diff in pull request #13114: KAFKA-14084: SCRAM support in KRaft.
omkreddy commented on code in PR #13114: URL: https://github.com/apache/kafka/pull/13114#discussion_r1101769724 ## metadata/src/main/java/org/apache/kafka/controller/ScramControlManager.java: ## @@ -0,0 +1,307 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + *http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.kafka.controller; + +import org.apache.kafka.clients.admin.ScramMechanism; +import org.apache.kafka.common.message.AlterUserScramCredentialsRequestData; +import org.apache.kafka.common.message.AlterUserScramCredentialsRequestData.ScramCredentialDeletion; +import org.apache.kafka.common.message.AlterUserScramCredentialsRequestData.ScramCredentialUpsertion; +import org.apache.kafka.common.message.AlterUserScramCredentialsResponseData; +import org.apache.kafka.common.message.AlterUserScramCredentialsResponseData.AlterUserScramCredentialsResult; +import org.apache.kafka.common.metadata.RemoveUserScramCredentialRecord; +import org.apache.kafka.common.metadata.UserScramCredentialRecord; +import org.apache.kafka.common.requests.ApiError; +import org.apache.kafka.common.utils.LogContext; +import org.apache.kafka.server.common.ApiMessageAndVersion; +import org.apache.kafka.timeline.SnapshotRegistry; +import org.apache.kafka.timeline.TimelineHashMap; +import org.slf4j.Logger; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Base64; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Map.Entry; +import java.util.Objects; + +import static org.apache.kafka.common.protocol.Errors.DUPLICATE_RESOURCE; +import static org.apache.kafka.common.protocol.Errors.NONE; +import static org.apache.kafka.common.protocol.Errors.RESOURCE_NOT_FOUND; +import static org.apache.kafka.common.protocol.Errors.UNACCEPTABLE_CREDENTIAL; +import static org.apache.kafka.common.protocol.Errors.UNSUPPORTED_SASL_MECHANISM; + + +/** + * Manages SCRAM credentials. + */ +public class ScramControlManager { +static final int MAX_ITERATIONS = 16384; + +static class Builder { +private LogContext logContext = null; +private SnapshotRegistry snapshotRegistry = null; + +Builder setLogContext(LogContext logContext) { +this.logContext = logContext; +return this; +} + +Builder setSnapshotRegistry(SnapshotRegistry snapshotRegistry) { +this.snapshotRegistry = snapshotRegistry; +return this; +} + +ScramControlManager build() { +if (logContext == null) logContext = new LogContext(); +if (snapshotRegistry == null) snapshotRegistry = new SnapshotRegistry(logContext); +return new ScramControlManager(logContext, +snapshotRegistry); +} +} + +static class ScramCredentialKey { +private final String username; +private final ScramMechanism mechanism; + +ScramCredentialKey(String username, ScramMechanism mechanism) { +this.username = username; +this.mechanism = mechanism; +} + +@Override +public int hashCode() { +return Objects.hash(username, mechanism); +} + +@Override +public boolean equals(Object o) { +if (o == null) return false; +if (!(o.getClass() == this.getClass())) return false; +ScramCredentialKey other = (ScramCredentialKey) o; +return username.equals(other.username) && +mechanism.equals(other.mechanism); +} + +@Override +public String toString() { +return "ScramCredentialKey" + +"(username=" + username + +", mechanism=" + mechanism + +")"; +} +} + +static class ScramCredentialValue { +private final byte[] salt; +private final byte[] saltedPassword; +private final int iterations; + +ScramCredentialValue( +byte[] salt, +byte[] saltedPassword, +int iterations +) { +this.salt = salt; +this.saltedPassword = saltedPassword; +this.iterations = iterations; +} + +@Override +
[GitHub] [kafka] omkreddy commented on a diff in pull request #13114: KAFKA-14084: SCRAM support in KRaft.
omkreddy commented on code in PR #13114: URL: https://github.com/apache/kafka/pull/13114#discussion_r1100299605 ## core/src/main/scala/kafka/server/ControllerApis.scala: ## @@ -816,6 +817,17 @@ class ControllerApis(val requestChannel: RequestChannel, } } + def handleAlterUserScramCredentials(request: RequestChannel.Request): CompletableFuture[Unit] = { +val alterRequest = request.body[AlterUserScramCredentialsRequest] +val context = new ControllerRequestContext(request.context.header.data, request.context.principal, Review Comment: We need to authorisation `authHelper.authorizeClusterOperation(request, ALTER)` check here. Similar check in KafkaAPI: [handleAlterUserScramCredentialsRequest](https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaApis.scala#L3326) ## core/src/test/scala/unit/kafka/server/AlterUserScramCredentialsRequestTest.scala: ## @@ -85,15 +113,17 @@ class AlterUserScramCredentialsRequestTest extends BaseRequestTest { .setUpsertions(util.Arrays.asList(upsertion1, upsertion2))).build(), ) requests.foreach(request => { - val response = sendAlterUserScramCredentialsRequest(request) + val response = sendAlterUserScramCredentialsRequest(request, adminSocketServer) val results = response.data.results assertEquals(2, results.size) checkAllErrorsAlteringCredentials(results, Errors.DUPLICATE_RESOURCE, "when altering the same credential twice in a single request") }) } - @Test - def testAlterEmptyUser(): Unit = { + @ParameterizedTest(name = TestInfoUtils.TestWithParameterizedQuorumName) + @ValueSource(strings = Array("kraft", "zk")) + def testAlterEmptyUser(quorum: String): Unit = { + println("Starting test") Review Comment: unwanted line ## core/src/main/scala/kafka/server/metadata/BrokerMetadataPublisher.scala: ## @@ -221,6 +223,21 @@ class BrokerMetadataPublisher( s"quotas in ${deltaName}", t) } + // Apply changes to SCRAM credentials. + Option(delta.scramDelta()).foreach { scramDelta => Review Comment: May I know, how are applying changes on Controller Nodes: https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/ControllerServer.scala#L176 ## metadata/src/main/java/org/apache/kafka/image/ScramCredentialData.java: ## @@ -0,0 +1,119 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + *http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.kafka.image; + +import org.apache.kafka.clients.admin.ScramMechanism; +import org.apache.kafka.common.metadata.UserScramCredentialRecord; +import org.apache.kafka.common.security.scram.ScramCredential; +import org.apache.kafka.common.security.scram.internals.ScramFormatter; +import org.apache.kafka.common.utils.Bytes; + +import java.security.GeneralSecurityException; +import java.util.Arrays; +import java.util.Objects; + + +/** + * Represents the ACLs in the metadata image. + * + * This class is thread-safe. + */ +public final class ScramCredentialData { +private final byte[] salt; +private final byte[] saltedPassword; +private final int iterations; + +static ScramCredentialData fromRecord( +UserScramCredentialRecord record +) { +return new ScramCredentialData( +record.salt(), +record.saltedPassword(), +record.iterations()); +} + +public ScramCredentialData( +byte[] salt, +byte[] saltedPassword, +int iterations +) { +this.salt = salt; +this.saltedPassword = saltedPassword; +this.iterations = iterations; +} + +public byte[] salt() { +return salt; +} + +public byte[] saltedPassword() { +return saltedPassword; +} + +public int iterations() { +return iterations; +} + +public UserScramCredentialRecord toRecord( +String userName, +ScramMechanism mechanism +) { +return new UserScramCredentialRecord(). +setName(userName). +setMechanism(mechanism.type()). +setSalt(salt). +