You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zookeeper.apache.org by ar...@apache.org on 2019/10/01 07:19:14 UTC

[zookeeper] branch branch-3.5 updated: ZOOKEEPER-1467: Make server principal configurable at client side.

This is an automated email from the ASF dual-hosted git repository.

arshad pushed a commit to branch branch-3.5
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/branch-3.5 by this push:
     new 457d7de  ZOOKEEPER-1467: Make server principal configurable at client side.
457d7de is described below

commit 457d7dee925fddbed6114cd9d3686697057c5d42
Author: Sujith Simon <su...@huawei.com>
AuthorDate: Tue Oct 1 12:48:22 2019 +0530

    ZOOKEEPER-1467: Make server principal configurable at client side.
    
    Make server principal configurable at the client side
    
    Author: sujithsimon22 <su...@huawei.com>
    
    Reviewers: Mohammad Arshad <ar...@apache.org>, enixon, Enrico Olivelli <eo...@apache.org>
    
    Closes #1104 from sujithsimon22/ZOOKEEPER-1467-3.5
---
 .../src/main/resources/markdown/zookeeperProgrammers.md     |  6 ++++++
 .../main/java/org/apache/zookeeper/SaslServerPrincipal.java |  5 +++++
 .../java/org/apache/zookeeper/client/ZKClientConfig.java    |  3 +++
 .../main/java/org/apache/zookeeper/util/SecurityUtils.java  |  8 ++++++--
 .../java/org/apache/zookeeper/ClientCanonicalizeTest.java   | 13 +++++++++++++
 5 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/zookeeper-docs/src/main/resources/markdown/zookeeperProgrammers.md b/zookeeper-docs/src/main/resources/markdown/zookeeperProgrammers.md
index addc796..0bd00b3 100644
--- a/zookeeper-docs/src/main/resources/markdown/zookeeperProgrammers.md
+++ b/zookeeper-docs/src/main/resources/markdown/zookeeperProgrammers.md
@@ -1205,6 +1205,12 @@ following reference
 * *zookeeper.kinit* :
     Specifies path to kinit binary. Default is "/usr/bin/kinit".
 
+* *zookeeper.server.principal* :
+    Specifies the server principal to be used by the client for authentication, while connecting to the zookeeper
+    server, when Kerberos authentication is enabled. A couple of ways to specify the server principal can be as
+    "zookeeper.server.principal = **zookeeper/zookeeper.apache.org@APACHE.ORG**" or
+    "zookeeper.server.principal = **zookeeper/zookeeper.apache.org**"
+
 <a name="C+Binding"></a>
 
 ### C Binding
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java b/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java
index 2694f77..5213d9c 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java
@@ -46,6 +46,11 @@ public class SaslServerPrincipal {
      * @return the name of the principal.
      */
     static String getServerPrincipal(WrapperInetSocketAddress addr, ZKClientConfig clientConfig) {
+        String configuredServerPrincipal = clientConfig.getProperty(ZKClientConfig.ZOOKEEPER_SERVER_PRINCIPAL);
+        if (configuredServerPrincipal != null) {
+            // If server principal is already configured then return it
+            return configuredServerPrincipal;
+        }
         String principalUserName = clientConfig.getProperty(ZKClientConfig.ZK_SASL_CLIENT_USERNAME,
             ZKClientConfig.ZK_SASL_CLIENT_USERNAME_DEFAULT);
         String hostName = addr.getHostName();
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java
index b2d214b..07ae65c 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java
@@ -60,6 +60,7 @@ public class ZKClientConfig extends ZKConfig {
     public static final String SECURE_CLIENT = ZooKeeper.SECURE_CLIENT;
     public static final int CLIENT_MAX_PACKET_LENGTH_DEFAULT = 4096 * 1024; /* 4 MB */
     public static final String ZOOKEEPER_REQUEST_TIMEOUT = "zookeeper.request.timeout";
+    public static final String ZOOKEEPER_SERVER_PRINCIPAL = "zookeeper.server.principal";
     /**
      * Feature is disabled by default.
      */
@@ -85,6 +86,8 @@ public class ZKClientConfig extends ZKConfig {
     private void initFromJavaSystemProperties() {
         setProperty(ZOOKEEPER_REQUEST_TIMEOUT,
                 System.getProperty(ZOOKEEPER_REQUEST_TIMEOUT));
+        setProperty(ZOOKEEPER_SERVER_PRINCIPAL,
+                System.getProperty(ZOOKEEPER_SERVER_PRINCIPAL));
     }
 
     @Override
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
index 67484e4..105d79e 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
@@ -112,8 +112,12 @@ public final class SecurityUtils {
             // "zookeeper.server.realm" is set).
             String serverRealm = System.getProperty("zookeeper.server.realm",
                     clientKerberosName.getRealm());
-            KerberosName serviceKerberosName = new KerberosName(
-                    servicePrincipal + "@" + serverRealm);
+            String modifiedServerPrincipal = servicePrincipal;
+            // If service principal does not contain realm, then add it
+            if (!modifiedServerPrincipal.contains("@")) {
+                modifiedServerPrincipal = modifiedServerPrincipal + "@" + serverRealm;
+            }
+            KerberosName serviceKerberosName = new KerberosName(modifiedServerPrincipal);
             final String serviceName = serviceKerberosName.getServiceName();
             final String serviceHostname = serviceKerberosName.getHostName();
             final String clientPrincipalName = clientKerberosName.toString();
diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java
index 91dec23..e1238ef 100644
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java
@@ -18,6 +18,7 @@
 package org.apache.zookeeper;
 
 import java.io.IOException;
+import java.net.InetSocketAddress;
 import org.apache.zookeeper.client.ZKClientConfig;
 import org.junit.Assert;
 import org.junit.Test;
@@ -73,4 +74,16 @@ public class ClientCanonicalizeTest extends ZKTestCase {
         Assert.assertEquals("The computed principal does appear to have falled back to the original host name",
             "zookeeper/zookeeper.apache.org", principal);
     }
+
+    @Test
+    public void testGetServerPrincipalReturnConfiguredPrincipalName() {
+        ZKClientConfig config = new ZKClientConfig();
+        String configuredPrincipal = "zookeeper/zookeeper.apache.org@APACHE.ORG";
+        config.setProperty(ZKClientConfig.ZOOKEEPER_SERVER_PRINCIPAL, configuredPrincipal);
+
+        // Testing the case where server principal is configured, therefore InetSocketAddress is passed as null
+        String serverPrincipal = SaslServerPrincipal.getServerPrincipal((InetSocketAddress) null, config);
+        Assert.assertEquals(configuredPrincipal, serverPrincipal);
+    }
+
 }