this is a quick and dirty test you can use:
org.apache.kafka.common.network.SSLSelectorTest:
//Truststore needs to contain keystore/cert that contains the actual principal
you will use
File trustStoreFile = File.createTempFile("truststore", ".jks");
Map<String, Object> sslServerConfigs =
org.apache.kafka.test.TestSslUtils.createSslConfig(false, true, Mode.SERVER,
trustStoreFile, "server");
//supply PrinicpalBuilder java class name to sslServer "principal.builder.class"
sslServerConfigs.put(org.apache.kafka.common.config.SslConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG,
Class.forName(SslConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));
//default class is
"org.apache.kafka.common.security.auth.DefaultPrincipalBuilder"
try
{
this.server = new
org.apache.kafka.common.network.EchoServer(sslServerConfigs);
}
catch(org.apache.kafka.common.KafkaException excp) {
log.debug("SslSelectorTest::setup LINE 55 new EchoServer throws KafkaException
message="+excp.getMessage()); }
try
{
this.server.start();
this.time = new org.apache.kafka.common.utils.MockTime();
//create client SSLconfig
Map<String, Object> sslClientConfigs sslClientConfigs =
org.apache.kafka.test.TestSslUtils.createSslConfig(false, false, Mode.SERVER,
trustStoreFile, "client");
this.channelBuilder = new
org.apache.kafka.common.network.SslChannelBuilder(org.apache.kafka.common.network.Mode.CLIENT);
this.channelBuilder.configure(sslClientConfigs);
this.metrics = new org.apache.kafka.common.Metrics();
this.selector = new org.apache.kafka.common.network.Selector(5000,
metrics, time, "MetricGroup", new LinkedHashMap<String, String>(),
channelBuilder);
}
catch(NullPointerException npe) { log.debug("SslSelectorTest::setup LINE 67
throws NPE message="+npe.getMessage()); }
//if group is not specified or null throw NPE
/* display attributes to ascertain principal name
public void authorize(){
System.out.println("\n" + "*** Credential Information ***");
// get privateCredential Set
// Obtaining user information
javax.security.auth.Subject subject=new javaz.security.auth.Subject();
Set credentials = subject.getPrivateCredentials();
// display credential information
Iterator iterator = credentials.iterator();
while (iterator.hasNext()) {
Object credential = iterator.next();
// this credential identify login user
if (credential instanceof ISAuthorizationCredential){
ISAuthorizationCredential isCredential =
(ISAuthorizationCredential) credential;
System.out.println("AuthorizationCredential=" +
isCredential.getEncryptedCredential());
System.out.println("Dn=" + isCredential.getDN());
System.out.println("Uid=" + isCredential.getUID());
//display roles:
Set roles = isCredential.getRoles();
if (roles != null) {
Iterator ite = roles.iterator();
while(ite.hasNext()){
System.out.println("Role=" + ite.next());
}
}
System.out.println("ClientAddress=" +
isCredential.getClientAddress());
System.out.println("AuthMethod=" +
isCredential.getAuthMethod());
System.out.println("AuthTime=" + isCredential.getAuthTime());
System.out.println("Expiration=" +
isCredential.getExpiration());
}
}
System.out.println("\n" + "*** Principals Information ***");
// display principal information
// Obtaining user information
Set principals = subject.getPrincipals();
iterator = principals.iterator();
while (iterator.hasNext()) {
Principal principal = (Principal)iterator.next();
System.out.println("Principal=" + principal.getName());
}
System.out.println("\n" + "*** Execute PrivilegedAction ***");
// Privileged operation execute by the attested authority.
// Executing authorization thru custom Java action to collect username/pwd
PrivilegedAction myAction = new ISSsoAction();
subject.doAs(subject, myAction);
} //end authorize
http://www.fujitsu.com/downloads/SFTWR/manual/fm_e/b23j37jh0/b1wn4881/01/b1wn488101enz2.pdf
/* IF you have to create a new URLConnection thru a proxy you can use something
like
public class DelegateHttpsURLConnection extends
com.sun.net.ssl.internal.www.protocol.https.DelegateHttpsURLConnection*/
DelegateHttpsURLConnection delegate = new
DelegateHttpsURLConnection((java.net.URL)url,(java.net.Proxy)p,
(sun.net.www.protocol.https.Handler)handler,(sun.net.protocol.https.HttpsURLConnectionImpl)this
);
/*** Returns the principal with which the server authenticated itself or throw
a SSLPeerUnverifiedException if the server did not authenticate.*/
/* works as long as public interface Principal extends java.security.Principal
*/
Principal principal=delegate.getPeerCertificate()
if(principal!=null) log.debug("peer certificate
name="+delegate.getPeerCertificate().getName());
//if peerPrincipal did not authenticate check Local Principal
if(delegate.getLocalPrincipal()!=null)
log.debug("principal name="+delegate.getLocalPrincipal().getName());
//throw Exception
..it really is that simple..
M-
________________________________
From: Mayuresh Gharat <gharatmayures...@gmail.com>
Sent: Wednesday, November 30, 2016 12:51 PM
To: users@kafka.apache.org
Subject: Re: Writing a customized principal builder for authorization
"principal.builder.class" is the name of the property.
Thanks,
Mayuresh
On Wed, Nov 30, 2016 at 9:30 AM, <gharatmayures...@gmail.com> wrote:
> Hi Kriti,
>
> You will have to implement the Principal Builder interface and provide the
> full class path in broker config. I don't remember the exact config name
> right now, but you can search for some config by name
> "principalbuilder.class" in the broker configs.
>
> Once you do this, Kafka will automatically use your custom
> PrincipalBuilder class for generating the principal.
>
> The buildPrincipal() function in the PrincipalBuilder is where you will
> have to create the your custom Principal class object ( This custom
> principal class should implement Java principal interface) and this custom
> principal.getname() can return whatever name you want.
>
> Let me know if this helps.
>
> Thanks,
>
> Mayuresh
>
>
>
> Sent from my iPhone
>
> > On Nov 29, 2016, at 11:40 PM, Kiriti Sai <kiriti163.i...@gmail.com>
> wrote:
> >
> > Hi,
> > Can anyone help me or point me to any resources that can be of help for
> > writing a customized principal builder to use in Authorization using
> ACLs?
> > I've enabled SSL authentication scheme for both clients and brokers but I
> > would like to change the principal name to just the original name and
> > Organizational unit instead of the complete defiant principal name for
> SSL.
> >
> > Thanka in advance for the help.
>
--
-Regards,
Mayuresh R. Gharat
(862) 250-7125
