morazow commented on PR #2506:
URL: https://github.com/apache/fluss/pull/2506#issuecomment-3912988944
Hello @xx789633, @affo
Please have a look to the PR again.
I have identified two follow-up issues that need to be addressed separately.
- Separate SASL communication for inter tablets and clients
- Special character escaping
I will follow up with issues and PR for each.
### Separating SASL Communication
For this to work we would need to prefix the JAAS contents with `listener`
name, for example:
```
internal.FlussServer {
...
}
```
But this does not work for the client, as [on this
line](https://github.com/apache/fluss/blob/main/fluss-common/src/main/java/org/apache/fluss/security/auth/sasl/jaas/JaasContext.java#L163)
the client listener name is hard coded as `null`. So we will have to fix the
core also and then enable separate SASL for inter tablets and clients in helm
charts.
### Special Character for SASL Usernames and Passwords
This is also indeed an issue, which requires core change for SASL client
authentication.
Without escaping we would have something like below `jaas.conf` file:
```
root@coordinator-server-0:/opt/fluss# cat /etc/fluss/conf/jaas.conf
FlussServer {
org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
user_admin="pa$$wo\rd!@#%&""
user_oqr25imdt05hyan7="5zFqhXGY0FgXzxUVpzRo";
};
FlussClient {
org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
username="admin"
password="pa$$wo\rd!@#%&"";
};
```
This fails on server with configuration error.
It should be correctly escaped as below:
```
FlussServer {
org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
user_admin="pa$$wo\\rd!@#%&\""
user_oqr25imdt05hyan7="5zFqhXGY0FgXzxUVpzRo";
};
FlussClient {
org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
username="admin"
password="pa$$wo\\rd!@#%&\"";
};
```
But this again causes issues on client side since the
[SaslClientAuthenticator](https://github.com/apache/fluss/blob/main/fluss-common/src/main/java/org/apache/fluss/security/auth/sasl/authenticator/SaslClientAuthenticator.java#L64)
does not escape the user provided username and password.
This is the failing test for `SaslAuthenticationITCase`:
```java
@Test
void testSpecialCharactersForPassword() throws Exception {
final String specialPassword = "pa$$wo\\rd!@#%&\"";
final Configuration clientConfig = new Configuration();
clientConfig.setString("client.security.protocol", "sasl");
clientConfig.setString("client.security.sasl.username", "admin");
clientConfig.setString("client.security.sasl.password", specialPassword);
testAuthentication(clientConfig, getDefaultServerConfig());
}
```
Since both of these points require changes to Fluss core packages, let's
address them separately.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
