Writing a customized principal builder for authorization

[Kiriti Sai <ki...@gmail.com>]

Hi,
Can anyone help me or point me to any resources that can be of help for
writing a customized principal builder to use in Authorization using ACLs?
I've enabled SSL authentication scheme for both clients and brokers but I
would like to change the principal name to just the original name and
Organizational unit instead of the complete defiant principal name for SSL.

Thanka in advance for the help.

Re: Writing a customized principal builder for authorization

[Zac Harvey <za...@welltok.com>]

How do you then modify Kafka's searchable classpath to pick up this new principal.builder.class classfile from a JAR somewhere on the filesystem?


In other words, I change my server.properties to:


principal.builder.class=com.example.kafkautils.MyCustomKafkaPrincipalBuilder


How will Kafka be able to find that at startup?

________________________________
From: Mayuresh Gharat <gh...@gmail.com>
Sent: Wednesday, November 30, 2016 12:51:14 PM
To: users@kafka.apache.org
Subject: Re: Writing a customized principal builder for authorization

"principal.builder.class" is the name of the property.

Thanks,

Mayuresh

On Wed, Nov 30, 2016 at 9:30 AM, <gh...@gmail.com> wrote:

> Hi Kriti,
>
> You will have to implement the Principal Builder interface and provide the
> full class path in broker config. I don't remember the exact config name
> right now, but you can search for some config by name
> "principalbuilder.class" in the broker configs.
>
> Once you do this, Kafka will automatically use your custom
> PrincipalBuilder class for generating the principal.
>
> The buildPrincipal() function in the PrincipalBuilder is where you will
> have to create the your custom Principal class object ( This custom
> principal class should implement Java principal interface) and this custom
> principal.getname() can return whatever name you want.
>
> Let me know if this helps.
>
> Thanks,
>
> Mayuresh
>
>
>
> Sent from my iPhone
>
> > On Nov 29, 2016, at 11:40 PM, Kiriti Sai <ki...@gmail.com>
> wrote:
> >
> > Hi,
> > Can anyone help me or point me to any resources that can be of help for
> > writing a customized principal builder to use in Authorization using
> ACLs?
> > I've enabled SSL authentication scheme for both clients and brokers but I
> > would like to change the principal name to just the original name and
> > Organizational unit instead of the complete defiant principal name for
> SSL.
> >
> > Thanka in advance for the help.
>



--
-Regards,
Mayuresh R. Gharat
(862) 250-7125

Re: Writing a customized principal builder for authorization

[Martin Gainty <mg...@hotmail.com>]

this is a quick and dirty test you can use:


org.apache.kafka.common.network.SSLSelectorTest:

//Truststore needs to contain keystore/cert that contains the actual principal you will use

       File trustStoreFile = File.createTempFile("truststore", ".jks");

        Map<String, Object> sslServerConfigs = org.apache.kafka.test.TestSslUtils.createSslConfig(false, true, Mode.SERVER, trustStoreFile, "server");

//supply PrinicpalBuilder java class name to sslServer "principal.builder.class"
       sslServerConfigs.put(org.apache.kafka.common.config.SslConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SslConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS));

//default class is "org.apache.kafka.common.security.auth.DefaultPrincipalBuilder"

        try
        {
        this.server = new org.apache.kafka.common.network.EchoServer(sslServerConfigs);
   }
   catch(org.apache.kafka.common.KafkaException excp) { log.debug("SslSelectorTest::setup LINE 55 new EchoServer throws KafkaException message="+excp.getMessage()); }
   try
   {
        this.server.start();
        this.time = new org.apache.kafka.common.utils.MockTime();

//create client SSLconfig
        Map<String, Object> sslClientConfigs sslClientConfigs = org.apache.kafka.test.TestSslUtils.createSslConfig(false, false, Mode.SERVER, trustStoreFile, "client");

        this.channelBuilder = new org.apache.kafka.common.network.SslChannelBuilder(org.apache.kafka.common.network.Mode.CLIENT);

        this.channelBuilder.configure(sslClientConfigs);

        this.metrics = new org.apache.kafka.common.Metrics();

        this.selector = new org.apache.kafka.common.network.Selector(5000, metrics, time, "MetricGroup", new LinkedHashMap<String, String>(), channelBuilder);
   }
   catch(NullPointerException npe) { log.debug("SslSelectorTest::setup LINE 67 throws NPE message="+npe.getMessage()); }

//if group is not specified or  null throw NPE

/* display attributes to ascertain principal name

public void authorize(){
 System.out.println("\n" + "*** Credential Information ***");

 // get privateCredential Set
 // Obtaining user information
 javax.security.auth.Subject subject=new javaz.security.auth.Subject();

 Set credentials = subject.getPrivateCredentials();

 // display credential information

 Iterator iterator = credentials.iterator();

 while (iterator.hasNext()) {
 Object credential = iterator.next();

 // this credential identify login user
 if (credential instanceof ISAuthorizationCredential){
 ISAuthorizationCredential isCredential =
 (ISAuthorizationCredential) credential;

 System.out.println("AuthorizationCredential=" +
 isCredential.getEncryptedCredential());

 System.out.println("Dn=" + isCredential.getDN());
 System.out.println("Uid=" + isCredential.getUID());

//display roles:
 Set roles = isCredential.getRoles();

 if (roles != null) {
 Iterator ite = roles.iterator();

 while(ite.hasNext()){
 System.out.println("Role=" + ite.next());
 }
 }

 System.out.println("ClientAddress=" +
 isCredential.getClientAddress());

 System.out.println("AuthMethod=" +
 isCredential.getAuthMethod());

 System.out.println("AuthTime=" + isCredential.getAuthTime());

 System.out.println("Expiration=" +
 isCredential.getExpiration());
 }
 }

 System.out.println("\n" + "*** Principals Information ***");

 // display principal information
 // Obtaining user information

 Set principals = subject.getPrincipals();

 iterator = principals.iterator();

 while (iterator.hasNext()) {

 Principal principal = (Principal)iterator.next();

 System.out.println("Principal=" + principal.getName());
 }
 System.out.println("\n" + "*** Execute PrivilegedAction ***");

 // Privileged operation execute by the attested authority.
 // Executing authorization thru custom Java action to collect username/pwd
 PrivilegedAction myAction = new ISSsoAction();

 subject.doAs(subject, myAction);

} //end authorize
http://www.fujitsu.com/downloads/SFTWR/manual/fm_e/b23j37jh0/b1wn4881/01/b1wn488101enz2.pdf


/* IF you have to create a new URLConnection thru a proxy you can use something like
public class DelegateHttpsURLConnection extends com.sun.net.ssl.internal.www.protocol.https.DelegateHttpsURLConnection*/

DelegateHttpsURLConnection delegate = new DelegateHttpsURLConnection((java.net.URL)url,(java.net.Proxy)p, (sun.net.www.protocol.https.Handler)handler,(sun.net.protocol.https.HttpsURLConnectionImpl)this );

/*** Returns the principal with which the server authenticated itself or throw a SSLPeerUnverifiedException if the server did not authenticate.*/

/* works as long as public interface Principal extends java.security.Principal */

Principal principal=delegate.getPeerCertificate()
if(principal!=null) log.debug("peer certificate name="+delegate.getPeerCertificate().getName());

//if peerPrincipal did not authenticate check Local Principal

if(delegate.getLocalPrincipal()!=null)
log.debug("principal name="+delegate.getLocalPrincipal().getName());

//throw Exception

..it really is that simple..
M-
________________________________
From: Mayuresh Gharat <gh...@gmail.com>
Sent: Wednesday, November 30, 2016 12:51 PM
To: users@kafka.apache.org
Subject: Re: Writing a customized principal builder for authorization

"principal.builder.class" is the name of the property.

Thanks,

Mayuresh

On Wed, Nov 30, 2016 at 9:30 AM, <gh...@gmail.com> wrote:

> Hi Kriti,
>
> You will have to implement the Principal Builder interface and provide the
> full class path in broker config. I don't remember the exact config name
> right now, but you can search for some config by name
> "principalbuilder.class" in the broker configs.
>
> Once you do this, Kafka will automatically use your custom
> PrincipalBuilder class for generating the principal.
>
> The buildPrincipal() function in the PrincipalBuilder is where you will
> have to create the your custom Principal class object ( This custom
> principal class should implement Java principal interface) and this custom
> principal.getname() can return whatever name you want.
>
> Let me know if this helps.
>
> Thanks,
>
> Mayuresh
>
>
>
> Sent from my iPhone
>
> > On Nov 29, 2016, at 11:40 PM, Kiriti Sai <ki...@gmail.com>
> wrote:
> >
> > Hi,
> > Can anyone help me or point me to any resources that can be of help for
> > writing a customized principal builder to use in Authorization using
> ACLs?
> > I've enabled SSL authentication scheme for both clients and brokers but I
> > would like to change the principal name to just the original name and
> > Organizational unit instead of the complete defiant principal name for
> SSL.
> >
> > Thanka in advance for the help.
>



--
-Regards,
Mayuresh R. Gharat
(862) 250-7125

Re: Writing a customized principal builder for authorization

[Mayuresh Gharat <gh...@gmail.com>]

"principal.builder.class" is the name of the property.

Thanks,

Mayuresh

On Wed, Nov 30, 2016 at 9:30 AM, <gh...@gmail.com> wrote:

> Hi Kriti,
>
> You will have to implement the Principal Builder interface and provide the
> full class path in broker config. I don't remember the exact config name
> right now, but you can search for some config by name
> "principalbuilder.class" in the broker configs.
>
> Once you do this, Kafka will automatically use your custom
> PrincipalBuilder class for generating the principal.
>
> The buildPrincipal() function in the PrincipalBuilder is where you will
> have to create the your custom Principal class object ( This custom
> principal class should implement Java principal interface) and this custom
> principal.getname() can return whatever name you want.
>
> Let me know if this helps.
>
> Thanks,
>
> Mayuresh
>
>
>
> Sent from my iPhone
>
> > On Nov 29, 2016, at 11:40 PM, Kiriti Sai <ki...@gmail.com>
> wrote:
> >
> > Hi,
> > Can anyone help me or point me to any resources that can be of help for
> > writing a customized principal builder to use in Authorization using
> ACLs?
> > I've enabled SSL authentication scheme for both clients and brokers but I
> > would like to change the principal name to just the original name and
> > Organizational unit instead of the complete defiant principal name for
> SSL.
> >
> > Thanka in advance for the help.
>



-- 
-Regards,
Mayuresh R. Gharat
(862) 250-7125

Re: Writing a customized principal builder for authorization

[gh...@gmail.com]

Hi Kriti,

You will have to implement the Principal Builder interface and provide the full class path in broker config. I don't remember the exact config name right now, but you can search for some config by name "principalbuilder.class" in the broker configs. 

Once you do this, Kafka will automatically use your custom PrincipalBuilder class for generating the principal.

The buildPrincipal() function in the PrincipalBuilder is where you will have to create the your custom Principal class object ( This custom principal class should implement Java principal interface) and this custom principal.getname() can return whatever name you want.

Let me know if this helps.

Thanks,

Mayuresh



Sent from my iPhone

> On Nov 29, 2016, at 11:40 PM, Kiriti Sai <ki...@gmail.com> wrote:
> 
> Hi,
> Can anyone help me or point me to any resources that can be of help for
> writing a customized principal builder to use in Authorization using ACLs?
> I've enabled SSL authentication scheme for both clients and brokers but I
> would like to change the principal name to just the original name and
> Organizational unit instead of the complete defiant principal name for SSL.
> 
> Thanka in advance for the help.