[jira] [Commented] (KAFKA-4544) Add system tests for delegation token based authentication
[ https://issues.apache.org/jira/browse/KAFKA-4544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16706703#comment-16706703 ] ASF GitHub Bot commented on KAFKA-4544: --- omkreddy closed pull request #5660: KAFKA-4544: Add system tests for delegation token based authentication URL: https://github.com/apache/kafka/pull/5660 This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/tests/kafkatest/services/console_consumer.py b/tests/kafkatest/services/console_consumer.py index 65c9fa589c0..dfbec9f83da 100644 --- a/tests/kafkatest/services/console_consumer.py +++ b/tests/kafkatest/services/console_consumer.py @@ -60,8 +60,9 @@ class ConsoleConsumer(KafkaPathResolverMixin, JmxMixin, BackgroundThreadService) def __init__(self, context, num_nodes, kafka, topic, group_id="test-consumer-group", new_consumer=True, message_validator=None, from_beginning=True, consumer_timeout_ms=None, version=DEV_BRANCH, client_id="console-consumer", print_key=False, jmx_object_names=None, jmx_attributes=None, - enable_systest_events=False, stop_timeout_sec=30, print_timestamp=False, - isolation_level="read_uncommitted", jaas_override_variables=None): + enable_systest_events=False, stop_timeout_sec=35, print_timestamp=False, + isolation_level="read_uncommitted", jaas_override_variables=None, + kafka_opts_override="", client_prop_file_override=""): """ Args: context:standard context @@ -83,7 +84,8 @@ def __init__(self, context, num_nodes, kafka, topic, group_id="test-consumer-gro print_timestamp if True, print each message's timestamp as well isolation_level How to handle transactional messages. jaas_override_variables A dict of variables to be used in the jaas.conf template file - +kafka_opts_override Override parameters of the KAFKA_OPTS environment variable +client_prop_file_override Override client.properties file used by the consumer """ JmxMixin.__init__(self, num_nodes=num_nodes, jmx_object_names=jmx_object_names, jmx_attributes=(jmx_attributes or []), root=ConsoleConsumer.PERSISTENT_ROOT) @@ -116,6 +118,9 @@ def __init__(self, context, num_nodes, kafka, topic, group_id="test-consumer-gro self.print_timestamp = print_timestamp self.jaas_override_variables = jaas_override_variables or {} +self.kafka_opts_override = kafka_opts_override +self.client_prop_file_override = client_prop_file_override + def prop_file(self, node): """Return a string which can be used to create a configuration file appropriate for the given node.""" @@ -134,6 +139,7 @@ def prop_file(self, node): prop_file += str(self.security_config) return prop_file + def start_cmd(self, node): """Return the start command appropriate for the given node.""" args = self.args.copy() @@ -147,14 +153,19 @@ def start_cmd(self, node): args['jmx_port'] = self.jmx_port args['console_consumer'] = self.path.script("kafka-console-consumer.sh", node) args['broker_list'] = self.kafka.bootstrap_servers(self.security_config.security_protocol) -args['kafka_opts'] = self.security_config.kafka_opts + +if self.kafka_opts_override: +args['kafka_opts'] = "\"%s\"" % self.kafka_opts_override +else: +args['kafka_opts'] = self.security_config.kafka_opts cmd = "export JMX_PORT=%(jmx_port)s; " \ "export LOG_DIR=%(log_dir)s; " \ "export KAFKA_LOG4J_OPTS=\"-Dlog4j.configuration=file:%(log4j_config)s\"; " \ "export KAFKA_OPTS=%(kafka_opts)s; " \ "%(console_consumer)s " \ - "--topic %(topic)s --consumer.config %(config_file)s" % args + "--topic %(topic)s " \ + "--consumer.config %(config_file)s " % args if self.new_consumer: assert node.version >= V_0_9_0_0, \ @@ -209,7 +220,15 @@ def _worker(self, idx, node): # Create and upload config file self.logger.info("console_consumer.properties:") -prop_file = self.prop_file(node) +self.security_config = self.kafka.security_config.client_config(node=node, + jaas_override_variables=self.jaas_override_variables) +self.security_config.setup_node(node) + +if self.client_prop_file_override: +prop_file
[jira] [Commented] (KAFKA-4544) Add system tests for delegation token based authentication
[ https://issues.apache.org/jira/browse/KAFKA-4544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16619211#comment-16619211 ] ASF GitHub Bot commented on KAFKA-4544: --- asasvari opened a new pull request #5660: KAFKA-4544: Add system tests for delegation token based authentication URL: https://github.com/apache/kafka/pull/5660 *More detailed description of your change, if necessary. The PR title and PR message become the squashed commit message, so use a separate comment to ping reviewers.* This change adds some basic system tests for delegation token based authentication: - basic delegation token creation - producing with a delegation token - consuming with a delegation token - expiring a delegation token - producing with an expired delegation token New files: - delegation_tokens.py: a wrapper around kafka-delegation-tokens.sh - executed in container where a secure Broker is running (taking advantage of automatic cleanup) - delegation_tokens_test.py: basic test to validate the lifecycle of a delegation token Changes were made in the following file to extend their functionality: - config_property was updated to be able to configure Kafka brokers with delegation token related settings - jaas.conf template because a broker needs to support multiple login modules when delegation tokens are used - consule-consumer and verifiable_producer to override KAFKA_OPTS (to specify custom jaas.conf) and the client properties (to authenticate with delegation token). *Summary of testing strategy (including rationale) for the feature or bug fix. Unit and/or integration tests are expected for any behaviour change and system tests should be considered for larger changes.* ### Committer Checklist (excluded from commit message) - [ ] Verify design and implementation - [ ] Verify test coverage and CI build status - [ ] Verify documentation (including upgrade notes) This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Add system tests for delegation token based authentication > -- > > Key: KAFKA-4544 > URL: https://issues.apache.org/jira/browse/KAFKA-4544 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Ashish Singh >Assignee: Attila Sasvari >Priority: Major > > Add system tests for delegation token based authentication. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KAFKA-4544) Add system tests for delegation token based authentication
[ https://issues.apache.org/jira/browse/KAFKA-4544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16607140#comment-16607140 ] Attila Sasvari commented on KAFKA-4544: --- Thanks [~omkreddy], I see your point. Today, it is not possible as --consumer-property is not exposed by the python wrapper (neither kafka_opts), but my patch will make console-consumer.py clever. > Add system tests for delegation token based authentication > -- > > Key: KAFKA-4544 > URL: https://issues.apache.org/jira/browse/KAFKA-4544 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Ashish Singh >Assignee: Attila Sasvari >Priority: Major > > Add system tests for delegation token based authentication. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KAFKA-4544) Add system tests for delegation token based authentication
[ https://issues.apache.org/jira/browse/KAFKA-4544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16606206#comment-16606206 ] Manikumar commented on KAFKA-4544: -- [~asasvari] _>> Initially, I wanted to use console_consumer.py and verifiable clients to validate things (messages produced / consumed), but I ran into some issues:_ We can use "sasl.jaas.config" client config property to pass token credentials. With this we can avoid jaas.conf for token authentication. This can simplify the code. We should be able to pass this property to console_consumer.py and verifiable clients. {code:java} sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \ username="BQoHvMSzRpCC0Z8EHnCwkA" \ password="WKzmngyxSyoEdlkzUQoP7TsTrsNzeMC6+aKg7S0oeLkV+dnzBMjYo3tTtlAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==" \ tokenauth="true"; {code} > Add system tests for delegation token based authentication > -- > > Key: KAFKA-4544 > URL: https://issues.apache.org/jira/browse/KAFKA-4544 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Ashish Singh >Assignee: Attila Sasvari >Priority: Major > > Add system tests for delegation token based authentication. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KAFKA-4544) Add system tests for delegation token based authentication
[ https://issues.apache.org/jira/browse/KAFKA-4544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16605944#comment-16605944 ] Attila Sasvari commented on KAFKA-4544: --- [~omkreddy] thanks for the info, I extended the test case to better cover the lifecycle of a delegation token based on your idea: - Create delegation token - Create a console-producer using SCRAM and delegation token and produce a message - Verify message is created (with kafka.search_data_files() ) - Create a console-consumer using SCRAM and delegation token and consume 1 message - Expire the token, immediately - Try producing one more message with the expired token - Verify the last message is not persisted by the broker Initially, I wanted to use console_consumer.py and verifiable clients to validate things (messages produced / consumed), but I ran into some issues: - jaas.conf / KafkaClient config cannot include more login modules {code} Multiple LoginModule-s in JAAS Caused by: java.lang.IllegalArgumentException: JAAS config property contains 2 login modules, should be 1 module at org.apache.kafka.common.security.JaasContext.load(JaasContext.java:95) at org.apache.kafka.common.security.JaasContext.loadClientContext(JaasContext.java:84) at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:119) at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65) at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88) at org.apache.kafka.clients.producer.KafkaProducer.(KafkaProducer.java:419) {code} - To request a delegation token, we need GSSAPI (and use keytab), subsequently, consumers and producers use the delegation token. So I ended up constructing manually the jaas.config and client configs in my POC. - With and even without my changes, JMX failed to start up when I tried to run {{./ducker-ak test ../kafkatest/sanity_checks/test_console_consumer.py}}: {code} Exception in thread ConsoleConsumer-0-140287252789520-worker-1: Traceback (most recent call last): File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner self.run() File "/usr/lib/python2.7/threading.py", line 754, in run self.__target(*self.__args, **self.__kwargs) File "/usr/local/lib/python2.7/dist-packages/ducktape/services/background_thread.py", line 35, in _protected_worker self._worker(idx, node) File "/opt/kafka-dev/tests/kafkatest/services/console_consumer.py", line 229, in _worker self.start_jmx_tool(idx, node) File "/opt/kafka-dev/tests/kafkatest/services/monitor/jmx.py", line 86, in start_jmx_tool wait_until(lambda: self._jmx_has_output(node), timeout_sec=10, backoff_sec=.5, err_msg="%s: Jmx tool took too long to start" % node.account) File "/usr/local/lib/python2.7/dist-packages/ducktape/utils/util.py", line 36, in wait_until raise TimeoutError(err_msg) TimeoutError: ducker@ducker04: Jmx tool took too long to start {code} Right now a lot of things are [hardcoded|https://github.com/asasvari/kafka/commit/edfc37012079764d2a589dbf5f24ad04505975d4#diff-3e7b2bdbd55d075bcebbbe5ba8c4e269] (using shell scripts) in my POC. It would be nice to extract common functionalities and make them easily reusable (e.g. creating wrappers in python, for example, to do delegation token handling). > Add system tests for delegation token based authentication > -- > > Key: KAFKA-4544 > URL: https://issues.apache.org/jira/browse/KAFKA-4544 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Ashish Singh >Assignee: Attila Sasvari >Priority: Major > > Add system tests for delegation token based authentication. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KAFKA-4544) Add system tests for delegation token based authentication
[ https://issues.apache.org/jira/browse/KAFKA-4544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16604711#comment-16604711 ] Manikumar commented on KAFKA-4544: -- [~asasvari] Thanks for taking this. I was planning to write a system test for basic workflows : create token -> run producer -> run consumer, expire token -> run producer etc.. I will take a look at your changes. > Add system tests for delegation token based authentication > -- > > Key: KAFKA-4544 > URL: https://issues.apache.org/jira/browse/KAFKA-4544 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Ashish Singh >Assignee: Attila Sasvari >Priority: Major > > Add system tests for delegation token based authentication. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KAFKA-4544) Add system tests for delegation token based authentication
[ https://issues.apache.org/jira/browse/KAFKA-4544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16604530#comment-16604530 ] Attila Sasvari commented on KAFKA-4544: --- [~omkreddy] thanks a lot! - I started to work on this here: [https://github.com/asasvari/kafka/commit/6ce766c3ec17b7787415d278a9b59f15ed197c1c], can you take a quick look? - What kind of tests did you plan? We might want to also create subtasks for this ticket as it would be easier to review the changes. - So far I have only added a new test to verify that we can create a delegation token with {{kafka-delegation-tokens.sh}}. - I believe an other basic test is to start a console application (e.g. kafka-console-consumer) and test wether it can connect to the broker using the previously generated delegation token. > Add system tests for delegation token based authentication > -- > > Key: KAFKA-4544 > URL: https://issues.apache.org/jira/browse/KAFKA-4544 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Ashish Singh >Assignee: Attila Sasvari >Priority: Major > > Add system tests for delegation token based authentication. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KAFKA-4544) Add system tests for delegation token based authentication
[ https://issues.apache.org/jira/browse/KAFKA-4544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16599038#comment-16599038 ] Manikumar commented on KAFKA-4544: -- [~asasvari] If you are interested, Please takeover the JIRA. Currently I am working on KAFKA-6945. Thanks. > Add system tests for delegation token based authentication > -- > > Key: KAFKA-4544 > URL: https://issues.apache.org/jira/browse/KAFKA-4544 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Ashish Singh >Assignee: Manikumar >Priority: Major > > Add system tests for delegation token based authentication. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KAFKA-4544) Add system tests for delegation token based authentication
[ https://issues.apache.org/jira/browse/KAFKA-4544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16598557#comment-16598557 ] Attila Sasvari commented on KAFKA-4544: --- Do you have the capacity to work on this [~omkreddy]? If there's anything I can do to help, please let me know. > Add system tests for delegation token based authentication > -- > > Key: KAFKA-4544 > URL: https://issues.apache.org/jira/browse/KAFKA-4544 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Ashish Singh >Assignee: Manikumar >Priority: Major > > Add system tests for delegation token based authentication. -- This message was sent by Atlassian JIRA (v7.6.3#76005)