(kafka) branch trunk updated: MINOR: Cleanups in JaasUtils (#18522)

Thu, 16 Jan 2025 05:07:33 -0800 

This is an automated email from the ASF dual-hosted git repository.

mimaison pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 8262e2315da MINOR: Cleanups in JaasUtils (#18522)
8262e2315da is described below

commit 8262e2315dacdf0c385ca7e1e28790f130f37bf1
Author: Mickael Maison <mimai...@users.noreply.github.com>
AuthorDate: Thu Jan 16 14:07:16 2025 +0100

    MINOR: Cleanups in JaasUtils (#18522)
    
    
    Reviewers: Luke Chen <show...@gmail.com>, Chia-Ping Tsai 
<chia7...@gmail.com>
---
 .../apache/kafka/common/security/JaasUtils.java    |  3 ++-
 .../kafka/common/security/JaasContextTest.java     | 28 ++++++++++++++++++++--
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git 
a/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java 
b/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
index 800283e56e2..cfbca0c6d61 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
@@ -19,7 +19,8 @@ package org.apache.kafka.common.security;
 public final class JaasUtils {
     public static final String JAVA_LOGIN_CONFIG_PARAM = 
"java.security.auth.login.config";
     public static final String DISALLOWED_LOGIN_MODULES_CONFIG = 
"org.apache.kafka.disallowed.login.modules";
-    public static final String DISALLOWED_LOGIN_MODULES_DEFAULT = 
"com.sun.security.auth.module.JndiLoginModule";
+    public static final String DISALLOWED_LOGIN_MODULES_DEFAULT =
+            
"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule";
     public static final String SERVICE_NAME = "serviceName";
 
     private JaasUtils() {}
diff --git 
a/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java 
b/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
index 49989348f84..59b08fc1476 100644
--- 
a/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
+++ 
b/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
@@ -189,6 +189,10 @@ public class JaasContextTest {
         String jaasConfigProp1 = "com.sun.security.auth.module.JndiLoginModule 
required;";
         assertThrows(IllegalArgumentException.class, () -> 
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp1));
 
+        //test LdapLoginModule is not allowed by default
+        String jaasConfigProp2 = "com.sun.security.auth.module.LdapLoginModule 
required;";
+        assertThrows(IllegalArgumentException.class, () -> 
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
+
         //test ListenerName Override
         writeConfiguration(Arrays.asList(
                 "KafkaServer { test.LoginModuleDefault required; };",
@@ -197,11 +201,19 @@ public class JaasContextTest {
         assertThrows(IllegalArgumentException.class, () -> 
JaasContext.loadServerContext(new ListenerName("plaintext"),
                 "SOME-MECHANISM", Collections.emptyMap()));
 
+        //test ListenerName Override
+        writeConfiguration(Arrays.asList(
+                "KafkaServer { test.LoginModuleDefault required; };",
+                "plaintext.KafkaServer { 
com.sun.security.auth.module.LdapLoginModule requisite; };"
+        ));
+        assertThrows(IllegalArgumentException.class, () -> 
JaasContext.loadServerContext(new ListenerName("plaintext"),
+                "SOME-MECHANISM", Collections.emptyMap()));
+
         //test org.apache.kafka.disallowed.login.modules system property with 
multiple modules
         System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, " 
com.ibm.security.auth.module.LdapLoginModule , 
com.ibm.security.auth.module.Krb5LoginModule ");
 
-        String jaasConfigProp2 = "com.ibm.security.auth.module.LdapLoginModule 
required;";
-        assertThrows(IllegalArgumentException.class, () ->  
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
+        String jaasConfigProp3 = "com.ibm.security.auth.module.LdapLoginModule 
required;";
+        assertThrows(IllegalArgumentException.class, () ->  
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp3));
 
         //test ListenerName Override
         writeConfiguration(Arrays.asList(
@@ -216,6 +228,7 @@ public class JaasContextTest {
         System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, "");
 
         checkConfiguration("com.sun.security.auth.module.JndiLoginModule", 
LoginModuleControlFlag.REQUIRED, new HashMap<>());
+        checkConfiguration("com.sun.security.auth.module.LdapLoginModule", 
LoginModuleControlFlag.REQUIRED, new HashMap<>());
 
         //test ListenerName Override
         writeConfiguration(Arrays.asList(
@@ -227,6 +240,17 @@ public class JaasContextTest {
         assertEquals(1, context.configurationEntries().size());
         checkEntry(context.configurationEntries().get(0), 
"com.sun.security.auth.module.JndiLoginModule",
                 LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
+
+        //test ListenerName Override
+        writeConfiguration(Arrays.asList(
+                "KafkaServer { com.sun.security.auth.module.LdapLoginModule 
required; };",
+                "plaintext.KafkaServer { 
com.sun.security.auth.module.LdapLoginModule requisite; };"
+        ));
+        context = JaasContext.loadServerContext(new ListenerName("plaintext"),
+                "SOME-MECHANISM", Collections.emptyMap());
+        assertEquals(1, context.configurationEntries().size());
+        checkEntry(context.configurationEntries().get(0), 
"com.sun.security.auth.module.LdapLoginModule",
+                LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
     }
 
     @Test

Reply via email to