[
https://issues.apache.org/jira/browse/KAFKA-8860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16920998#comment-16920998
]
ASF GitHub Bot commented on KAFKA-8860:
---------------------------------------
omkreddy commented on pull request #7140: KAFKA-8860: Let SslPrincipalMapper
split SSL principal mapping rules
URL: https://github.com/apache/kafka/pull/7140
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SslPrincipalMapper should handle distinguished names with spaces
> ----------------------------------------------------------------
>
> Key: KAFKA-8860
> URL: https://issues.apache.org/jira/browse/KAFKA-8860
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 2.2.0
> Reporter: Manikumar
> Priority: Major
> Fix For: 2.4.0
>
>
> This Jira is to track the issue reported by
> [t...@teebee.de|mailto:t...@teebee.de] in PR
> [#7140|https://github.com/apache/kafka/pull/7140]
> PR [#6099|https://github.com/apache/kafka/pull/6099] tried to undo the
> splitting of the {{ssl.principal.mapper.rules}}
> [list|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaConfig.scala#L1054]
> on [comma with
> whitespace|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L78]
> by [sophisticated
> rejoining|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42]
> of the split list using a comma as separator. However, since possibly
> surrounding whitespace is not reconstructed this approach fails in general.
> Consider the following test case:
> {code:java}
> @Test
> public void testCommaWithWhitespace() throws Exception \{
> String value = "RULE:^CN=((\\\\, *|\\w)+)(,.*|$)/$1/,DEFAULT";
> @SuppressWarnings("unchecked")
> List<String> rules = (List<String>)
> ConfigDef.parseType("ssl.principal.mapper.rules", value, Type.LIST);
> SslPrincipalMapper mapper = SslPrincipalMapper.fromRules(rules);
> assertEquals("Tkac\\, Adam", mapper.getName("CN=Tkac\\,
> Adam,OU=ITZ,DC=geodis,DC=cz"));
> }
> {code}
> The space after the escaped comma is
> [essential|https://sogo.nu/bugs/view.php?id=2152]. Unfortunately, it has
> disappeared after splitting and rejoining.
> Moreover, in
> [{{joinSplitRules}}|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java#L42]
> the decision to rejoin list elements is based on local information only
> which might not be sufficient. It works for
> {quote}"RULE:^CN=([^,ADEFLTU,]+)(,.*|$)/$1/"{quote} but fails for the
> _equivalent_ regular expression
> {quote}RULE:^CN=([^,DEFAULT,]+)(,.*|$)/$1/"{quote}
> The approach of the current PR is to change the type of the
> {{ssl.principal.mapper.rules}} attribute from
> [LIST|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781]
> to
> [STRING|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/config/ConfigDef.java#L781]
> and to delegate the splitting of the rules to the
> [SslPrincipalMapper|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/SslPrincipalMapper.java].
> It knows about the structure of the rules and can perform the splitting
> context-based.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
