You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Francois Fernando (Jira)" <ji...@apache.org> on 2020/06/04 02:14:00 UTC
[jira] [Created] (KAFKA-10099) Kerberos authentication sets java
authrizedId to authenticationId not autherizationId
Francois Fernando created KAFKA-10099:
-----------------------------------------
Summary: Kerberos authentication sets java authrizedId to authenticationId not autherizationId
Key: KAFKA-10099
URL: https://issues.apache.org/jira/browse/KAFKA-10099
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 2.3.0
Reporter: Francois Fernando
Following authentication code in kafka still puzzles me (Lines 67-74: https://github.com/apache/kafka/blob/3cdc78e6bb1f83973a14ce1550fe3874f7348b05/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerCallbackHandler.java).
{{private void handleAuthorizeCallback(AuthorizeCallback ac) {}}
{{ String authenticationID = ac.getAuthenticationID();}}
{{ String authorizationID = ac.getAuthorizationID();}}
{{ LOG.info("Successfully authenticated client: authenticationID={}; authorizationID={}.",}}
{{ authenticationID, authorizationID);}}
{{ ac.setAuthorized(true);}}
{{ ac.setAuthorizedID(authenticationID);}}
{{}}}
In a kafka cluster secured with Kerberos, using a kafka keytab with principal like `sys_read/reader.myorg.corp@MYORG.CORP` results in:
authenticationID = sys_read@MYORG.CORP;
authorizationID = sys_read/reader.myorg.corp@MYORG.CORP
Last line of above method sets the authorizedID to authenticationID not authorizationID. From my understanding of java security, the principal will become what's set in AuthorizedID.
This means the ACL definitions can't use the full principal string as the principal as authorizer will never see it.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)