Francois Fernando created KAFKA-10099:
-----------------------------------------
Summary: Kerberos authentication sets java authrizedId to
authenticationId not autherizationId
Key: KAFKA-10099
URL: https://issues.apache.org/jira/browse/KAFKA-10099
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 2.3.0
Reporter: Francois Fernando
Following authentication code in kafka still puzzles me (Lines 67-74:
https://github.com/apache/kafka/blob/3cdc78e6bb1f83973a14ce1550fe3874f7348b05/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerCallbackHandler.java).
{{private void handleAuthorizeCallback(AuthorizeCallback ac) {}}
{{ String authenticationID = ac.getAuthenticationID();}}
{{ String authorizationID = ac.getAuthorizationID();}}
{{ LOG.info("Successfully authenticated client: authenticationID={};
authorizationID={}.",}}
{{ authenticationID, authorizationID);}}
{{ ac.setAuthorized(true);}}
{{ ac.setAuthorizedID(authenticationID);}}
{{}}}
In a kafka cluster secured with Kerberos, using a kafka keytab with principal
like `sys_read/reader.myorg.c...@myorg.corp` results in:
authenticationID = sys_r...@myorg.corp;
authorizationID = sys_read/reader.myorg.c...@myorg.corp
Last line of above method sets the authorizedID to authenticationID not
authorizationID. From my understanding of java security, the principal will
become what's set in AuthorizedID.
This means the ACL definitions can't use the full principal string as the
principal as authorizer will never see it.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
