showuon commented on code in PR #18683:
URL: https://github.com/apache/kafka/pull/18683#discussion_r2144142601
##########
clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java:
##########
@@ -252,6 +252,30 @@ public void testDisallowedLoginModulesSystemProperty()
throws Exception {
checkEntry(context.configurationEntries().get(0),
"com.sun.security.auth.module.LdapLoginModule",
LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
}
+
+ @Test
+ void testAllowedLoginModulesSystemProperty() {
+
+ // default
+ String jaasConfigProp1 = "com.ibm.security.auth.module.LdapLoginModule
required;";
+ assertDoesNotThrow(() -> configurationEntry(JaasContext.Type.CLIENT,
jaasConfigProp1));
+
+ String jaasConfigProp2 = "com.sun.security.auth.module.JndiLoginModule
required;";
+ // set allow dont' set not allow
+ System.setProperty(JaasUtils.ALLOWED_LOGIN_MODULES_CONFIG,
"com.ibm.security.auth.module.LdapLoginModule");
+ assertDoesNotThrow(() -> configurationEntry(JaasContext.Type.CLIENT,
jaasConfigProp1));
+ assertThrows(IllegalArgumentException.class, () ->
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
+
+ // set allow and set not allow
+ System.setProperty(JaasUtils.DISALLOWED_LOGIN_MODULES_CONFIG,
"com.ibm.security.auth.module.LdapLoginModule");
+ assertDoesNotThrow(() -> configurationEntry(JaasContext.Type.CLIENT,
jaasConfigProp1));
+ assertThrows(IllegalArgumentException.class, () ->
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
+
+ // don't set allow and set not allow
Review Comment:
-> set disallowed list, but not set allowed list
##########
clients/src/main/java/org/apache/kafka/common/security/JaasContext.java:
##########
@@ -103,12 +104,31 @@ else if (contextModules.length != 1)
return defaultContext(contextType, listenerContextName,
globalContextName);
}
+ @SuppressWarnings("deprecation")
private static void throwIfLoginModuleIsNotAllowed(AppConfigurationEntry
appConfigurationEntry) {
- Set<String> disallowedLoginModuleList = Arrays.stream(
- System.getProperty(DISALLOWED_LOGIN_MODULES_CONFIG,
DISALLOWED_LOGIN_MODULES_DEFAULT).split(","))
+ String disallowedProperty =
System.getProperty(DISALLOWED_LOGIN_MODULES_CONFIG);
+ if (disallowedProperty != null) {
+ LOG.warn("System property '{}' is deprecated and will be removed
in a future release. Use '{}' instead.",
+ DISALLOWED_LOGIN_MODULES_CONFIG,
ALLOWED_LOGIN_MODULES_CONFIG);
+ }
+ String loginModuleName =
appConfigurationEntry.getLoginModuleName().trim();
+ String allowedProperty =
System.getProperty(ALLOWED_LOGIN_MODULES_CONFIG);
+ if (allowedProperty != null) {
+ Set<String> allowedLoginModuleList =
Arrays.stream(allowedProperty.split(","))
+ .map(String::trim)
+ .collect(Collectors.toSet());
+ if (!allowedLoginModuleList.contains(loginModuleName)) {
+ throw new IllegalArgumentException(loginModuleName + " is not
allowed. Update System property '"
+ + ALLOWED_LOGIN_MODULES_CONFIG + "' to allow " +
loginModuleName);
+ }
+ return;
+ }
+ if (disallowedProperty == null) {
+ disallowedProperty = DISALLOWED_LOGIN_MODULES_DEFAULT;
+ }
+ Set<String> disallowedLoginModuleList =
Arrays.stream(disallowedProperty.split(","))
.map(String::trim)
.collect(Collectors.toSet());
- String loginModuleName =
appConfigurationEntry.getLoginModuleName().trim();
if (disallowedLoginModuleList.contains(loginModuleName)) {
throw new IllegalArgumentException(loginModuleName + " is not
allowed. Update System property '"
+ DISALLOWED_LOGIN_MODULES_CONFIG + "' to allow " +
loginModuleName);
Review Comment:
nit: We should also add the deprecation message in this error message to
tell users to change to allowList instead.
##########
clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java:
##########
@@ -16,13 +16,17 @@
*/
package org.apache.kafka.common.security;
+
Review Comment:
+1
##########
clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java:
##########
@@ -252,6 +252,30 @@ public void testDisallowedLoginModulesSystemProperty()
throws Exception {
checkEntry(context.configurationEntries().get(0),
"com.sun.security.auth.module.LdapLoginModule",
LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
}
+
+ @Test
+ void testAllowedLoginModulesSystemProperty() {
+
+ // default
+ String jaasConfigProp1 = "com.ibm.security.auth.module.LdapLoginModule
required;";
+ assertDoesNotThrow(() -> configurationEntry(JaasContext.Type.CLIENT,
jaasConfigProp1));
+
+ String jaasConfigProp2 = "com.sun.security.auth.module.JndiLoginModule
required;";
+ // set allow dont' set not allow
+ System.setProperty(JaasUtils.ALLOWED_LOGIN_MODULES_CONFIG,
"com.ibm.security.auth.module.LdapLoginModule");
+ assertDoesNotThrow(() -> configurationEntry(JaasContext.Type.CLIENT,
jaasConfigProp1));
+ assertThrows(IllegalArgumentException.class, () ->
configurationEntry(JaasContext.Type.CLIENT, jaasConfigProp2));
+
+ // set allow and set not allow
Review Comment:
-> set both allowed list and disallowed list
##########
docs/upgrade.html:
##########
@@ -197,6 +197,8 @@ <h5><a id="upgrade_servers_400_notable"
href="#upgrade_servers_400_notable">Nota
</li>
<li>The <code>log.message.format.version</code> and
<code>message.format.version</code> configs were removed.
</li>
+ <li>The
<code>org.apache.kafka.disallowed.login.modules</code> config was deprecated.
Please use the <code>org.apache.kafka.allowed.login.modules</code> instead.
+ </li>
Review Comment:
We should move this to 4.2 section.
##########
clients/src/main/java/org/apache/kafka/common/security/JaasUtils.java:
##########
@@ -16,13 +16,17 @@
*/
package org.apache.kafka.common.security;
+
public final class JaasUtils {
public static final String JAVA_LOGIN_CONFIG_PARAM =
"java.security.auth.login.config";
+ @Deprecated
public static final String DISALLOWED_LOGIN_MODULES_CONFIG =
"org.apache.kafka.disallowed.login.modules";
+ public static final String ALLOWED_LOGIN_MODULES_CONFIG =
"org.apache.kafka.allowed.login.modules";
public static final String DISALLOWED_LOGIN_MODULES_DEFAULT =
"com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule";
public static final String SERVICE_NAME = "serviceName";
- private JaasUtils() {}
+ private JaasUtils() {
+ }
Review Comment:
+1
##########
clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java:
##########
@@ -224,8 +225,7 @@ public void testDisallowedLoginModulesSystemProperty()
throws Exception {
"SOME-MECHANISM", Collections.emptyMap()));
- //Remove default value for org.apache.kafka.disallowed.login.modules
- System.setProperty(DISALLOWED_LOGIN_MODULES_CONFIG, "");
+ // add allowed login modules
Review Comment:
What does this change mean?
##########
clients/src/test/java/org/apache/kafka/common/security/JaasContextTest.java:
##########
@@ -252,6 +252,30 @@ public void testDisallowedLoginModulesSystemProperty()
throws Exception {
checkEntry(context.configurationEntries().get(0),
"com.sun.security.auth.module.LdapLoginModule",
LoginModuleControlFlag.REQUISITE, Collections.emptyMap());
}
+
+ @Test
+ void testAllowedLoginModulesSystemProperty() {
+
+ // default
+ String jaasConfigProp1 = "com.ibm.security.auth.module.LdapLoginModule
required;";
+ assertDoesNotThrow(() -> configurationEntry(JaasContext.Type.CLIENT,
jaasConfigProp1));
+
+ String jaasConfigProp2 = "com.sun.security.auth.module.JndiLoginModule
required;";
+ // set allow dont' set not allow
Review Comment:
nit: set allowed list, but not set disallowed list
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
