You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zookeeper.apache.org by ar...@apache.org on 2019/09/30 20:27:03 UTC
[zookeeper] branch master updated: ZOOKEEPER-1467: Make server
principal configurable at client side.
This is an automated email from the ASF dual-hosted git repository.
arshad pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/master by this push:
new 0d7be16 ZOOKEEPER-1467: Make server principal configurable at client side.
0d7be16 is described below
commit 0d7be16b86830f4bacc4fea9389e0dff760d38e0
Author: Sujith Simon <su...@huawei.com>
AuthorDate: Tue Oct 1 01:56:26 2019 +0530
ZOOKEEPER-1467: Make server principal configurable at client side.
Make server principal configurable at the client side
Author: sujithsimon22 <su...@huawei.com>
Reviewers: Mohammad Arshad <ar...@apache.org>, enixon
Closes #1099 from sujithsimon22/ZOOKEEPER-1467
---
.../src/main/resources/markdown/zookeeperProgrammers.md | 6 ++++++
.../main/java/org/apache/zookeeper/SaslServerPrincipal.java | 5 +++++
.../java/org/apache/zookeeper/client/ZKClientConfig.java | 2 ++
.../main/java/org/apache/zookeeper/util/SecurityUtils.java | 7 ++++++-
.../java/org/apache/zookeeper/ClientCanonicalizeTest.java | 12 ++++++++++++
5 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/zookeeper-docs/src/main/resources/markdown/zookeeperProgrammers.md b/zookeeper-docs/src/main/resources/markdown/zookeeperProgrammers.md
index 54ef7bc..21c8a9a 100644
--- a/zookeeper-docs/src/main/resources/markdown/zookeeperProgrammers.md
+++ b/zookeeper-docs/src/main/resources/markdown/zookeeperProgrammers.md
@@ -1231,6 +1231,12 @@ following reference
* *zookeeper.kinit* :
Specifies path to kinit binary. Default is "/usr/bin/kinit".
+* *zookeeper.server.principal* :
+ Specifies the server principal to be used by the client for authentication, while connecting to the zookeeper
+ server, when Kerberos authentication is enabled. A couple of ways to specify the server principal can be as
+ "zookeeper.server.principal = **zookeeper/zookeeper.apache.org@APACHE.ORG**" or
+ "zookeeper.server.principal = **zookeeper/zookeeper.apache.org**"
+
<a name="C+Binding"></a>
### C Binding
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java b/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java
index b2e8ac1..7c1b2a0 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java
@@ -48,6 +48,11 @@ public class SaslServerPrincipal {
* @return the name of the principal.
*/
static String getServerPrincipal(WrapperInetSocketAddress addr, ZKClientConfig clientConfig) {
+ String configuredServerPrincipal = clientConfig.getProperty(ZKClientConfig.ZOOKEEPER_SERVER_PRINCIPAL);
+ if (configuredServerPrincipal != null) {
+ // If server principal is already configured then return it
+ return configuredServerPrincipal;
+ }
String principalUserName = clientConfig.getProperty(
ZKClientConfig.ZK_SASL_CLIENT_USERNAME,
ZKClientConfig.ZK_SASL_CLIENT_USERNAME_DEFAULT);
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java
index 8c3b004..3ba4c6a 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java
@@ -59,6 +59,7 @@ public class ZKClientConfig extends ZKConfig {
public static final String SECURE_CLIENT = ZooKeeper.SECURE_CLIENT;
public static final int CLIENT_MAX_PACKET_LENGTH_DEFAULT = 4096 * 1024; /* 4 MB */
public static final String ZOOKEEPER_REQUEST_TIMEOUT = "zookeeper.request.timeout";
+ public static final String ZOOKEEPER_SERVER_PRINCIPAL = "zookeeper.server.principal";
/**
* Feature is disabled by default.
*/
@@ -83,6 +84,7 @@ public class ZKClientConfig extends ZKConfig {
*/
private void initFromJavaSystemProperties() {
setProperty(ZOOKEEPER_REQUEST_TIMEOUT, System.getProperty(ZOOKEEPER_REQUEST_TIMEOUT));
+ setProperty(ZOOKEEPER_SERVER_PRINCIPAL, System.getProperty(ZOOKEEPER_SERVER_PRINCIPAL));
}
@Override
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
index b3de2e5..9ab3732 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
@@ -104,7 +104,12 @@ public final class SecurityUtils {
// unless the system property
// "zookeeper.server.realm" is set).
String serverRealm = System.getProperty("zookeeper.server.realm", clientKerberosName.getRealm());
- KerberosName serviceKerberosName = new KerberosName(servicePrincipal + "@" + serverRealm);
+ String modifiedServerPrincipal = servicePrincipal;
+ // If service principal does not contain realm, then add it
+ if (!modifiedServerPrincipal.contains("@")) {
+ modifiedServerPrincipal = modifiedServerPrincipal + "@" + serverRealm;
+ }
+ KerberosName serviceKerberosName = new KerberosName(modifiedServerPrincipal);
final String serviceName = serviceKerberosName.getServiceName();
final String serviceHostname = serviceKerberosName.getHostName();
final String clientPrincipalName = clientKerberosName.toString();
diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java
index 799af3a..796cb6b 100644
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java
@@ -22,6 +22,7 @@ import static org.junit.Assert.assertEquals;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import java.io.IOException;
+import java.net.InetSocketAddress;
import org.apache.zookeeper.client.ZKClientConfig;
import org.junit.Test;
@@ -73,4 +74,15 @@ public class ClientCanonicalizeTest extends ZKTestCase {
assertEquals("The computed principal does appear to have falled back to the original host name", "zookeeper/zookeeper.apache.org", principal);
}
+ @Test
+ public void testGetServerPrincipalReturnConfiguredPrincipalName() {
+ ZKClientConfig config = new ZKClientConfig();
+ String configuredPrincipal = "zookeeper/zookeeper.apache.org@APACHE.ORG";
+ config.setProperty(ZKClientConfig.ZOOKEEPER_SERVER_PRINCIPAL, configuredPrincipal);
+
+ // Testing the case where server principal is configured, therefore InetSocketAddress is passed as null
+ String serverPrincipal = SaslServerPrincipal.getServerPrincipal((InetSocketAddress) null, config);
+ assertEquals(configuredPrincipal, serverPrincipal);
+ }
+
}