Re: Custom AuthenticateCallbackHandler

Sat, 02 Jun 2018 10:12:49 -0700 


________________________________
From: Roy van der Valk <roy.van.der.v...@gmail.com>
Sent: Friday, June 1, 2018 6:59 PM
To: users@kafka.apache.org
Subject: Re: Custom AuthenticateCallbackHandler

No I want to check plain user credentials for authentication against an 
external system. Where best to plug in this check. I thought the new 
AuthenticateCallbackHandler would be convenient, but I am very much in doubt if 
this is the right way. It is also not clear for me from the docs how to 
implement this.

Please see my stackoverflow question for a minimal test setup which I try to 
get working.

https://stackoverflow.com/questions/50412589/kafka-custom-authenticatecallbackhandler
[https://cdn.sstatic.net/Sites/stackoverflow/img/apple-touch-i...@2.png?v=73d79a89bded]<https://stackoverflow.com/questions/50412589/kafka-custom-authenticatecallbackhandler>

jaas - Kafka custom AuthenticateCallbackHandler - Stack 
...<https://stackoverflow.com/questions/50412589/kafka-custom-authenticatecallbackhandler>
stackoverflow.com
I tried to implement a AuthenticateCallbackHandler ready to be released in 
Kafka 2.0.0 to no avail - is this a setup in which it should work? On 
https://cwiki.apache.org/confluence/display/KAFKA/K...

MG>assuming:
MG>LoginType.SERVER(JaasUtils.LOGIN_CONTEXT_SERVER);
MG>public static final String LOGIN_CONTEXT_SERVER = "KafkaServer";

MG>private static final String JAAS_USER_PREFIX = "user_";
MG>failure happens at PlainSaslServer#evaluateResponse with:
MG>Authentication failed: Invalid username or password
MG>here is the code:
   String expectedPassword = JaasUtils.jaasConfig(
LoginType.SERVER.contextName(),      //KafkaServer
JAAS_USER_PREFIX                            //user_
+ username);                                          //username you supplied
            if (!password.equals(expectedPassword)) {
                throw new SaslException("Authentication failed: Invalid 
username or password");
            }

MG>loginContextName and key used for lookup
MG>loginContextName entries are not null
MG>but supplied key misses on lookup
 /**
     * Construct a JAAS configuration object per kafka jaas configuration file
     * @param loginContextName
     * @param key
     * @return JAAS configuration object
     */
    public static String jaasConfig(String loginContextName, String key) throws 
IOException {
        AppConfigurationEntry[] configurationEntries = 
Configuration.getConfiguration().getAppConfigurationEntry(loginContextName);
        if (configurationEntries == null) {

MG>this is bypassed because your populated context is not null
            String errorMessage = "Could not find a '" + loginContextName + "' 
entry in this configuration.";
            throw new IOException(errorMessage);
        }

        for (AppConfigurationEntry entry: configurationEntries) {
            Object val = entry.getOptions().get(key);
            if (val != null)
                return (String) val;
        }
        return null;
    }
MG>so JAAS password where expected_password= user_admin
MG>but your password where expected_password = user_test
MG>any reason you need to implement username/password test/test instead of 
admin/admin ?



Any help/pointers/examples is much appreciated!

> Op 1 jun. 2018 om 21:05 heeft Martin Gainty <mgai...@hotmail.com> het 
> volgende geschreven:
>
> are you referring to onCompleteCallback from
>
> https://github.com/apache/kafka/commit/837f31dd1850b179918f83338b4b4487486b2c58
>
> [https://avatars2.githubusercontent.com/u/14958864?s=200&v=4]<https://github.com/apache/kafka/commit/837f31dd1850b179918f83338b4b4487486b2c58>
>
> KAFKA-6927; Chunked down-conversion to prevent out of memory errors o… · 
> apache/kafka@837f31d<https://github.com/apache/kafka/commit/837f31dd1850b179918f83338b4b4487486b2c58>
> github.com
> …n broker [KIP-283] (#4871) Implementation for lazy down-conversion in a 
> chunked manner for efficient memory usage during down-conversion. This pull 
> request is mainly to get initial feedback on th...
>
>
>
>
> ?
>
> Martin
> _____________________________
>
>
>
> ________________________________
> From: Roy van der Valk <roy.van.der.v...@gmail.com>
> Sent: Friday, June 1, 2018 2:28 PM
> To: users@kafka.apache.org
> Subject: Re: Custom AuthenticateCallbackHandler
>
> Thank you Manikumar!
>
>> On Fri, Jun 1, 2018 at 7:30 PM, Manikumar <manikumar.re...@gmail.com> wrote:
>>
>> This feature will be part upcoming Kafka 2.0.0 release.
>>
>> Doc PR is here : https://github.com/apache/kafka/pull/4890
> [https://avatars2.githubusercontent.com/u/13164074?s=400&v=4]<https://github.com/apache/kafka/pull/4890>
>
> KAFKA-6800: Update SASL/PLAIN and SCRAM docs to use KIP-86 callbacks by 
> rajinisivaram · Pull Request #4890 · 
> apache/kafka<https://github.com/apache/kafka/pull/4890>
> github.com
> Committer Checklist (excluded from commit message) Verify design and 
> implementation Verify test coverage and CI build status Verify documentation 
> (including upgrade notes)
>
>
>
>>
>> configs here:
>> https://github.com/apache/kafka/blob/trunk/clients/src/
>> main/java/org/apache/kafka/common/config/SaslConfigs.java#L57
>>
>> On Fri, Jun 1, 2018 at 10:51 PM, Roy van der Valk <
>> roy.van.der.v...@gmail.com> wrote:
>>
>>> Dear Kafka community,
>>>
>>> Can somebody help me setting up a custom AuthenticateCallbackHandler as
>>> described in KIP-86 recently added by Rajini Sivaram or point me to good
>>> documentation?
>>>
>>> I described my question in more detail on Stackoverflow:
>>> https://stackoverflow.com/questions/50412589/kafka-custom-
>>> authenticatecallbackhandler
>>>
>>> All help is greatly appreciated!
>>>
>>> Roy
>>>
>>






















					Reply via email to