You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by sr...@apache.org on 2016/01/29 13:59:04 UTC
kafka git commit: KAFKA-3166;
Disable SSL client authentication for SASL_SSL security protocol
(backport)
Repository: kafka
Updated Branches:
refs/heads/0.9.0 9e5b77ce9 -> 3dcd5dbe8
KAFKA-3166; Disable SSL client authentication for SASL_SSL security protocol (backport)
Backport of https://github.com/apache/kafka/pull/827 to 0.9.0 that only includes the essential code changes (excluded the test changes due to conflicts).
Author: Ismael Juma <is...@juma.me.uk>
Reviewers: Sriharsha Chintalapani <ha...@hortonworks.com>
Closes #830 from ijuma/kafka-3166-backport-disable-ssl-auth-sasl-ssl
Project: http://git-wip-us.apache.org/repos/asf/kafka/repo
Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/3dcd5dbe
Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/3dcd5dbe
Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/3dcd5dbe
Branch: refs/heads/0.9.0
Commit: 3dcd5dbe89a17a2605f05d69f6df4b91a0ec24d9
Parents: 9e5b77c
Author: Ismael Juma <is...@juma.me.uk>
Authored: Fri Jan 29 18:28:53 2016 +0530
Committer: Sriharsha Chintalapani <ha...@hortonworks.com>
Committed: Fri Jan 29 18:28:53 2016 +0530
----------------------------------------------------------------------
.../kafka/common/network/SaslChannelBuilder.java | 5 +++--
.../apache/kafka/common/security/ssl/SslFactory.java | 13 +++++++++++--
2 files changed, 14 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kafka/blob/3dcd5dbe/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java
----------------------------------------------------------------------
diff --git a/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java b/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java
index 86ac779..34a87c9 100644
--- a/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java
@@ -66,8 +66,9 @@ public class SaslChannelBuilder implements ChannelBuilder {
kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(defaultRealm, principalToLocalRules);
if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
- this.sslFactory = new SslFactory(mode);
- this.sslFactory.configure(this.configs);
+ // Disable SSL client authentication as we are using SASL authentication
+ this.sslFactory = new SslFactory(mode, "none");
+ this.sslFactory.configure(configs);
}
} catch (Exception e) {
throw new KafkaException(e);
http://git-wip-us.apache.org/repos/asf/kafka/blob/3dcd5dbe/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
----------------------------------------------------------------------
diff --git a/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java b/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
index a7cf9a2..50c75dc 100644
--- a/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/ssl/SslFactory.java
@@ -33,6 +33,9 @@ import java.util.Map;
public class SslFactory implements Configurable {
+ private final Mode mode;
+ private final String clientAuthConfigOverride;
+
private String protocol;
private String provider;
private String kmfAlgorithm;
@@ -46,10 +49,14 @@ public class SslFactory implements Configurable {
private SSLContext sslContext;
private boolean needClientAuth;
private boolean wantClientAuth;
- private final Mode mode;
public SslFactory(Mode mode) {
+ this(mode, null);
+ }
+
+ public SslFactory(Mode mode, String clientAuthConfigOverride) {
this.mode = mode;
+ this.clientAuthConfigOverride = clientAuthConfigOverride;
}
@Override
@@ -70,7 +77,9 @@ public class SslFactory implements Configurable {
if (endpointIdentification != null)
this.endpointIdentification = endpointIdentification;
- String clientAuthConfig = (String) configs.get(SslConfigs.SSL_CLIENT_AUTH_CONFIG);
+ String clientAuthConfig = clientAuthConfigOverride;
+ if (clientAuthConfig == null)
+ clientAuthConfig = (String) configs.get(SslConfigs.SSL_CLIENT_AUTH_CONFIG);
if (clientAuthConfig != null) {
if (clientAuthConfig.equals("required"))
this.needClientAuth = true;