Repository: kafka Updated Branches: refs/heads/0.9.0 9e5b77ce9 -> 3dcd5dbe8
KAFKA-3166; Disable SSL client authentication for SASL_SSL security protocol (backport) Backport of https://github.com/apache/kafka/pull/827 to 0.9.0 that only includes the essential code changes (excluded the test changes due to conflicts). Author: Ismael Juma <[email protected]> Reviewers: Sriharsha Chintalapani <[email protected]> Closes #830 from ijuma/kafka-3166-backport-disable-ssl-auth-sasl-ssl Project: http://git-wip-us.apache.org/repos/asf/kafka/repo Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/3dcd5dbe Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/3dcd5dbe Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/3dcd5dbe Branch: refs/heads/0.9.0 Commit: 3dcd5dbe89a17a2605f05d69f6df4b91a0ec24d9 Parents: 9e5b77c Author: Ismael Juma <[email protected]> Authored: Fri Jan 29 18:28:53 2016 +0530 Committer: Sriharsha Chintalapani <[email protected]> Committed: Fri Jan 29 18:28:53 2016 +0530 ---------------------------------------------------------------------- .../kafka/common/network/SaslChannelBuilder.java | 5 +++-- .../apache/kafka/common/security/ssl/SslFactory.java | 13 +++++++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kafka/blob/3dcd5dbe/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java ---------------------------------------------------------------------- diff --git a/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java index 86ac779..34a87c9 100644 --- a/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java +++ b/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java @@ -66,8 +66,9 @@ public class SaslChannelBuilder implements ChannelBuilder { kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(defaultRealm, principalToLocalRules); if (this.securityProtocol == SecurityProtocol.SASL_SSL) { - this.sslFactory = new SslFactory(mode); - this.sslFactory.configure(this.configs); + // Disable SSL client authentication as we are using SASL authentication + this.sslFactory = new SslFactory(mode, "none"); + this.sslFactory.configure(configs); } } catch (Exception e) { throw new KafkaException(e); http://git-wip-us.apache.org/repos/asf/kafka/blob/3dcd5dbe/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java ---------------------------------------------------------------------- diff --git a/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java b/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java index a7cf9a2..50c75dc 100644 --- a/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java +++ b/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java @@ -33,6 +33,9 @@ import java.util.Map; public class SslFactory implements Configurable { + private final Mode mode; + private final String clientAuthConfigOverride; + private String protocol; private String provider; private String kmfAlgorithm; @@ -46,10 +49,14 @@ public class SslFactory implements Configurable { private SSLContext sslContext; private boolean needClientAuth; private boolean wantClientAuth; - private final Mode mode; public SslFactory(Mode mode) { + this(mode, null); + } + + public SslFactory(Mode mode, String clientAuthConfigOverride) { this.mode = mode; + this.clientAuthConfigOverride = clientAuthConfigOverride; } @Override @@ -70,7 +77,9 @@ public class SslFactory implements Configurable { if (endpointIdentification != null) this.endpointIdentification = endpointIdentification; - String clientAuthConfig = (String) configs.get(SslConfigs.SSL_CLIENT_AUTH_CONFIG); + String clientAuthConfig = clientAuthConfigOverride; + if (clientAuthConfig == null) + clientAuthConfig = (String) configs.get(SslConfigs.SSL_CLIENT_AUTH_CONFIG); if (clientAuthConfig != null) { if (clientAuthConfig.equals("required")) this.needClientAuth = true;
