[jira] [Commented] (KAFKA-2675) SASL/Kerberos follow-up

[Ismael Juma (JIRA)]

    [ 
https://issues.apache.org/jira/browse/KAFKA-2675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14973366#comment-14973366
 ] 

Ismael Juma commented on KAFKA-2675:
------------------------------------

[~harsha_ch], I had a look at implementing SASL_KAFA_SERVER_REALM and it's 
unclear how this is meant to be used. Let's use the ZooKeeper code (which is 
quite similar to ours) as an example since it has the equivalent 
`zookeeper.server.realm` property:

{code}
                final KerberosName clientKerberosName = new 
KerberosName(clientPrincipal.getName());
                // assume that server and client are in the same realm (by 
default; unless the system property
                // "zookeeper.server.realm" is set).
                String serverRealm = 
System.getProperty("zookeeper.server.realm",clientKerberosName.getRealm());
                KerberosName serviceKerberosName = new 
KerberosName(servicePrincipal+"@"+serverRealm);
                final String serviceName = serviceKerberosName.getServiceName();
                final String serviceHostname = 
serviceKerberosName.getHostName();
                final String clientPrincipalName = 
clientKerberosName.toString();
                try {
                    saslClient = Subject.doAs(subject,new 
PrivilegedExceptionAction<SaslClient>() {
                        public SaslClient run() throws SaslException {
                            LOG.info("Client will use GSSAPI as SASL 
mechanism.");
                            String[] mechs = {"GSSAPI"};
                            LOG.debug("creating sasl client: 
client="+clientPrincipalName+";service="+serviceName+";serviceHostname="+serviceHostname);
                            SaslClient saslClient = 
Sasl.createSaslClient(mechs,clientPrincipalName,serviceName,serviceHostname,null,new
 ClientCallbackHandler(null));
                            return saslClient;
                        }
                    });
                    return saslClient;
                }
{code}

So, the server realm is used to create the `KerberosName`, but then it seems to 
be ignored and only `getServiceName()` and `getHostName()` are used. It seems 
to me that one could use any value for `serverRealm` and it would have no 
effect on the parameters passed to `Sasl.createSaslClient`.

Am I missing something?

> SASL/Kerberos follow-up
> -----------------------
>
>                 Key: KAFKA-2675
>                 URL: https://issues.apache.org/jira/browse/KAFKA-2675
>             Project: Kafka
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Ismael Juma
>            Assignee: Ismael Juma
>             Fix For: 0.9.0.0
>
>
> This is a follow-up to KAFKA-1686. 
> 1. Decide on `serviceName` configuration: do we want to keep it in two places?
> 2. auth.to.local config name is a bit opaque, is there a better one?
> 3. Implement or remove SASL_KAFKA_SERVER_REALM config
> 4. Consider making Login's thread a daemon thread
> 5. Write test that shows authentication failure due to invalid user
> 6. Write test that shows authentication failure due to wrong password
> 7. Write test that shows authentication failure due ticket expiring



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)