You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Konstantine Karantasis (Jira)" <ji...@apache.org> on 2021/02/03 23:34:00 UTC
[jira] [Resolved] (KAFKA-10895) Basic auth extension's JAAS config
can be corrupted by other plugins
[ https://issues.apache.org/jira/browse/KAFKA-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Konstantine Karantasis resolved KAFKA-10895.
--------------------------------------------
Resolution: Fixed
> Basic auth extension's JAAS config can be corrupted by other plugins
> --------------------------------------------------------------------
>
> Key: KAFKA-10895
> URL: https://issues.apache.org/jira/browse/KAFKA-10895
> Project: Kafka
> Issue Type: Bug
> Components: KafkaConnect
> Affects Versions: 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.1.1, 2.3.0, 2.2.1, 2.2.2, 2.4.0, 2.3.1, 2.5.0, 2.4.1, 2.6.0, 2.5.1, 2.7.0
> Reporter: Chris Egerton
> Assignee: Chris Egerton
> Priority: Major
> Fix For: 2.3.2, 2.4.2, 2.5.2, 2.8.0, 2.7.1, 2.6.2
>
>
> The Connect [BasicAuthSecurityRestExtension|https://github.com/apache/kafka/blob/trunk/connect/basic-auth-extension/src/main/java/org/apache/kafka/connect/rest/basic/auth/extension/BasicAuthSecurityRestExtension.java]'s doc states that "An entry with the name {{KafkaConnect}} is expected in the JAAS config file configured in the JVM."
> This is technically accurate, as the [JaasBasicAuthFilter|https://github.com/apache/kafka/blob/afa5423356d3d2a2135a51200573b45d097f6d60/connect/basic-auth-extension/src/main/java/org/apache/kafka/connect/rest/basic/auth/extension/JaasBasicAuthFilter.java#L61-L63] that the extension installs creates a {{LoginContext}} using a [constructor|https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/LoginContext.html#LoginContext-java.lang.String-javax.security.auth.callback.CallbackHandler-] that does not include a [Configuration|https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html] to be passed in, which causes [Configuration::getConfiguration|https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html#getConfiguration--] to be used under the hood by the {{LoginContext}} to fetch the JAAS configuration to use for authentication.
> Unfortunately, other plugins (connectors, converters, even other REST extensions, etc.) may invoke [Configuration::setConfiguration|https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html#setConfiguration-javax.security.auth.login.Configuration-] and install a completely different JAAS configuration onto the JVM. If the user starts their JVM with a JAAS config set via the {{-Djava.security.auth.login.config}} property, that JAAS config can then be completely overwritten, and if the basic auth extension depends on the JAAS config that's installed at startup (as opposed to at runtime by a plugin), it will break.
> It's debatable whether this can or should be addressed with a code fix. One possibility is to cache the current JVM's configuration as soon as the basic auth extension is loaded by invoking {{Configuration::getConfiguration}} and saving the resulting configuration for future {{LoginContext}} instantiations. However, it may be possible that users actually rely on runtime plugins being able to install custom configurations at runtime for their basic auth extension, in which case this change would actually be harmful.
> Regardless, it's worth noting this odd behavior here in the hopes that it can save some time for others who encounter the same issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)