You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by sr...@apache.org on 2016/01/29 13:59:04 UTC

kafka git commit: KAFKA-3166; Disable SSL client authentication for SASL_SSL security protocol (backport)

Repository: kafka
Updated Branches:
  refs/heads/0.9.0 9e5b77ce9 -> 3dcd5dbe8


KAFKA-3166; Disable SSL client authentication for SASL_SSL security protocol (backport)

Backport of https://github.com/apache/kafka/pull/827 to 0.9.0 that only includes the essential code changes (excluded the test changes due to conflicts).

Author: Ismael Juma <is...@juma.me.uk>

Reviewers: Sriharsha Chintalapani <ha...@hortonworks.com>

Closes #830 from ijuma/kafka-3166-backport-disable-ssl-auth-sasl-ssl


Project: http://git-wip-us.apache.org/repos/asf/kafka/repo
Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/3dcd5dbe
Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/3dcd5dbe
Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/3dcd5dbe

Branch: refs/heads/0.9.0
Commit: 3dcd5dbe89a17a2605f05d69f6df4b91a0ec24d9
Parents: 9e5b77c
Author: Ismael Juma <is...@juma.me.uk>
Authored: Fri Jan 29 18:28:53 2016 +0530
Committer: Sriharsha Chintalapani <ha...@hortonworks.com>
Committed: Fri Jan 29 18:28:53 2016 +0530

----------------------------------------------------------------------
 .../kafka/common/network/SaslChannelBuilder.java       |  5 +++--
 .../apache/kafka/common/security/ssl/SslFactory.java   | 13 +++++++++++--
 2 files changed, 14 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kafka/blob/3dcd5dbe/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java
----------------------------------------------------------------------
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java
index 86ac779..34a87c9 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java
@@ -66,8 +66,9 @@ public class SaslChannelBuilder implements ChannelBuilder {
                 kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(defaultRealm, principalToLocalRules);
 
             if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
-                this.sslFactory = new SslFactory(mode);
-                this.sslFactory.configure(this.configs);
+                // Disable SSL client authentication as we are using SASL authentication
+                this.sslFactory = new SslFactory(mode, "none");
+                this.sslFactory.configure(configs);
             }
         } catch (Exception e) {
             throw new KafkaException(e);

http://git-wip-us.apache.org/repos/asf/kafka/blob/3dcd5dbe/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
----------------------------------------------------------------------
diff --git a/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java b/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
index a7cf9a2..50c75dc 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
@@ -33,6 +33,9 @@ import java.util.Map;
 
 public class SslFactory implements Configurable {
 
+    private final Mode mode;
+    private final String clientAuthConfigOverride;
+
     private String protocol;
     private String provider;
     private String kmfAlgorithm;
@@ -46,10 +49,14 @@ public class SslFactory implements Configurable {
     private SSLContext sslContext;
     private boolean needClientAuth;
     private boolean wantClientAuth;
-    private final Mode mode;
 
     public SslFactory(Mode mode) {
+        this(mode, null);
+    }
+
+    public SslFactory(Mode mode, String clientAuthConfigOverride) {
         this.mode = mode;
+        this.clientAuthConfigOverride = clientAuthConfigOverride;
     }
 
     @Override
@@ -70,7 +77,9 @@ public class SslFactory implements Configurable {
         if (endpointIdentification != null)
             this.endpointIdentification = endpointIdentification;
 
-        String clientAuthConfig = (String) configs.get(SslConfigs.SSL_CLIENT_AUTH_CONFIG);
+        String clientAuthConfig = clientAuthConfigOverride;
+        if (clientAuthConfig == null)
+            clientAuthConfig = (String) configs.get(SslConfigs.SSL_CLIENT_AUTH_CONFIG);
         if (clientAuthConfig != null) {
             if (clientAuthConfig.equals("required"))
                 this.needClientAuth = true;