(kafka) branch 3.9 updated: MINOR: Cleanups in JaasUtils (#18522)

Thu, 16 Jan 2025 05:35:04 -0800 

This is an automated email from the ASF dual-hosted git repository.

mimaison pushed a commit to branch 3.9
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/3.9 by this push:
     new 4038edfafe4 MINOR: Cleanups in JaasUtils (#18522)
4038edfafe4 is described below

commit 4038edfafe43f01f262c47d81786442ad7ab0b03
Author: Mickael Maison <mimai...@users.noreply.github.com>
AuthorDate: Thu Jan 16 14:07:16 2025 +0100

    MINOR: Cleanups in JaasUtils (#18522)
    
    
    Reviewers: Luke Chen <show...@gmail.com>, Chia-Ping Tsai 
<chia7...@gmail.com>
---
 .../apache/kafka/common/security/JaasUtils.java    |  3 ++-
 .../kafka/common/security/JaasContextTest.java     | 28 ++++++++++++++++++++--
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git 
a/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java 
b/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
index 742319c4f49..d7570432251 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
@@ -27,7 +27,8 @@ public final class JaasUtils {
     private static final Logger LOG = LoggerFactory.getLogger(JaasUtils.class);
     public static final String JAVA_LOGIN_CONFIG_PARAM = 
"java.security.auth.login.config";
     public static final String DISALLOWED_LOGIN_MODULES_CONFIG = 
"org.apache.kafka.disallowed.login.modules";
-    public static final String DISALLOWED_LOGIN_MODULES_DEFAULT = 
"com.sun.security.auth.module.JndiLoginModule";
+    public static final String DISALLOWED_LOGIN_MODULES_DEFAULT =
+            
"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule";
     public static final String SERVICE_NAME = "serviceName";
 
     public static final String ZK_SASL_CLIENT = "zookeeper.sasl.client";
diff --git 
a/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java 
b/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
index 49989348f84..59b08fc1476 100644
--- 
a/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
+++ 
b/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
@@ -189,6 +189,10 @@ public class JaasContextTest {
         String jaasConfigProp1 = "com.sun.security.auth.module.JndiLoginModule 
required;";
         assertThrows(IllegalArgumentException.class, () -> 
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp1));
 
+        //test LdapLoginModule is not allowed by default
+        String jaasConfigProp2 = "com.sun.security.auth.module.LdapLoginModule 
required;";
+        assertThrows(IllegalArgumentException.class, () -> 
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
+
         //test ListenerName Override
         writeConfiguration(Arrays.asList(
                 "KafkaServer { test.LoginModuleDefault required; };",
@@ -197,11 +201,19 @@ public class JaasContextTest {
         assertThrows(IllegalArgumentException.class, () -> 
JaasContext.loadServerContext(new ListenerName("plaintext"),
                 "SOME-MECHANISM", Collections.emptyMap()));
 
+        //test ListenerName Override
+        writeConfiguration(Arrays.asList(
+                "KafkaServer { test.LoginModuleDefault required; };",
+                "plaintext.KafkaServer { 
com.sun.security.auth.module.LdapLoginModule requisite; };"
+        ));
+        assertThrows(IllegalArgumentException.class, () -> 
JaasContext.loadServerContext(new ListenerName("plaintext"),
+                "SOME-MECHANISM", Collections.emptyMap()));
+
         //test org.apache.kafka.disallowed.login.modules system property with 
multiple modules
         System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, " 
com.ibm.security.auth.module.LdapLoginModule , 
com.ibm.security.auth.module.Krb5LoginModule ");
 
-        String jaasConfigProp2 = "com.ibm.security.auth.module.LdapLoginModule 
required;";
-        assertThrows(IllegalArgumentException.class, () ->  
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
+        String jaasConfigProp3 = "com.ibm.security.auth.module.LdapLoginModule 
required;";
+        assertThrows(IllegalArgumentException.class, () ->  
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp3));
 
         //test ListenerName Override
         writeConfiguration(Arrays.asList(
@@ -216,6 +228,7 @@ public class JaasContextTest {
         System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, "");
 
         checkConfiguration("com.sun.security.auth.module.JndiLoginModule", 
LoginModuleControlFlag.REQUIRED, new HashMap<>());
+        checkConfiguration("com.sun.security.auth.module.LdapLoginModule", 
LoginModuleControlFlag.REQUIRED, new HashMap<>());
 
         //test ListenerName Override
         writeConfiguration(Arrays.asList(
@@ -227,6 +240,17 @@ public class JaasContextTest {
         assertEquals(1, context.configurationEntries().size());
         checkEntry(context.configurationEntries().get(0), 
"com.sun.security.auth.module.JndiLoginModule",
                 LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
+
+        //test ListenerName Override
+        writeConfiguration(Arrays.asList(
+                "KafkaServer { com.sun.security.auth.module.LdapLoginModule 
required; };",
+                "plaintext.KafkaServer { 
com.sun.security.auth.module.LdapLoginModule requisite; };"
+        ));
+        context = JaasContext.loadServerContext(new ListenerName("plaintext"),
+                "SOME-MECHANISM", Collections.emptyMap());
+        assertEquals(1, context.configurationEntries().size());
+        checkEntry(context.configurationEntries().get(0), 
"com.sun.security.auth.module.LdapLoginModule",
+                LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
     }
 
     @Test

Reply via email to