(kafka) branch 3.8 updated: MINOR: Cleanups in JaasUtils (#18522)

Thu, 16 Jan 2025 06:43:13 -0800 

This is an automated email from the ASF dual-hosted git repository.

mimaison pushed a commit to branch 3.8
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/3.8 by this push:
     new 0dd06231853 MINOR: Cleanups in JaasUtils (#18522)
0dd06231853 is described below

commit 0dd0623185335007b9730e717fda692100096f20
Author: Mickael Maison <mimai...@users.noreply.github.com>
AuthorDate: Thu Jan 16 14:07:16 2025 +0100

    MINOR: Cleanups in JaasUtils (#18522)
    
    
    Reviewers: Luke Chen <show...@gmail.com>, Chia-Ping Tsai 
<chia7...@gmail.com>
---
 .../apache/kafka/common/security/JaasUtils.java    |  3 ++-
 .../kafka/common/security/JaasContextTest.java     | 28 ++++++++++++++++++++--
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git 
a/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java 
b/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
index 38a8b06de45..39586eb33da 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java
@@ -26,7 +26,8 @@ public final class JaasUtils {
     private static final Logger LOG = LoggerFactory.getLogger(JaasUtils.class);
     public static final String JAVA_LOGIN_CONFIG_PARAM = 
"java.security.auth.login.config";
     public static final String DISALLOWED_LOGIN_MODULES_CONFIG = 
"org.apache.kafka.disallowed.login.modules";
-    public static final String DISALLOWED_LOGIN_MODULES_DEFAULT = 
"com.sun.security.auth.module.JndiLoginModule";
+    public static final String DISALLOWED_LOGIN_MODULES_DEFAULT =
+            
"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule";
     public static final String SERVICE_NAME = "serviceName";
 
     public static final String ZK_SASL_CLIENT = "zookeeper.sasl.client";
diff --git 
a/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java 
b/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
index ade3aa12319..0add34cbafc 100644
--- 
a/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
+++ 
b/clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java
@@ -188,6 +188,10 @@ public class JaasContextTest {
         String jaasConfigProp1 = "com.sun.security.auth.module.JndiLoginModule 
required;";
         assertThrows(IllegalArgumentException.class, () -> 
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp1));
 
+        //test LdapLoginModule is not allowed by default
+        String jaasConfigProp2 = "com.sun.security.auth.module.LdapLoginModule 
required;";
+        assertThrows(IllegalArgumentException.class, () -> 
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
+
         //test ListenerName Override
         writeConfiguration(Arrays.asList(
                 "KafkaServer { test.LoginModuleDefault required; };",
@@ -196,11 +200,19 @@ public class JaasContextTest {
         assertThrows(IllegalArgumentException.class, () -> 
JaasContext.loadServerContext(new ListenerName("plaintext"),
                 "SOME-MECHANISM", Collections.emptyMap()));
 
+        //test ListenerName Override
+        writeConfiguration(Arrays.asList(
+                "KafkaServer { test.LoginModuleDefault required; };",
+                "plaintext.KafkaServer { 
com.sun.security.auth.module.LdapLoginModule requisite; };"
+        ));
+        assertThrows(IllegalArgumentException.class, () -> 
JaasContext.loadServerContext(new ListenerName("plaintext"),
+                "SOME-MECHANISM", Collections.emptyMap()));
+
         //test org.apache.kafka.disallowed.login.modules system property with 
multiple modules
         System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, " 
com.ibm.security.auth.module.LdapLoginModule , 
com.ibm.security.auth.module.Krb5LoginModule ");
 
-        String jaasConfigProp2 = "com.ibm.security.auth.module.LdapLoginModule 
required;";
-        assertThrows(IllegalArgumentException.class, () ->  
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
+        String jaasConfigProp3 = "com.ibm.security.auth.module.LdapLoginModule 
required;";
+        assertThrows(IllegalArgumentException.class, () ->  
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp3));
 
         //test ListenerName Override
         writeConfiguration(Arrays.asList(
@@ -215,6 +227,7 @@ public class JaasContextTest {
         System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, "");
 
         checkConfiguration("com.sun.security.auth.module.JndiLoginModule", 
LoginModuleControlFlag.REQUIRED, new HashMap<>());
+        checkConfiguration("com.sun.security.auth.module.LdapLoginModule", 
LoginModuleControlFlag.REQUIRED, new HashMap<>());
 
         //test ListenerName Override
         writeConfiguration(Arrays.asList(
@@ -226,6 +239,17 @@ public class JaasContextTest {
         assertEquals(1, context.configurationEntries().size());
         checkEntry(context.configurationEntries().get(0), 
"com.sun.security.auth.module.JndiLoginModule",
                 LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
+
+        //test ListenerName Override
+        writeConfiguration(Arrays.asList(
+                "KafkaServer { com.sun.security.auth.module.LdapLoginModule 
required; };",
+                "plaintext.KafkaServer { 
com.sun.security.auth.module.LdapLoginModule requisite; };"
+        ));
+        context = JaasContext.loadServerContext(new ListenerName("plaintext"),
+                "SOME-MECHANISM", Collections.emptyMap());
+        assertEquals(1, context.configurationEntries().size());
+        checkEntry(context.configurationEntries().get(0), 
"com.sun.security.auth.module.LdapLoginModule",
+                LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
     }
 
     @Test

Reply via email to