You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zookeeper.apache.org by ar...@apache.org on 2019/10/01 07:19:14 UTC
[zookeeper] branch branch-3.5 updated: ZOOKEEPER-1467: Make server
principal configurable at client side.
This is an automated email from the ASF dual-hosted git repository.
arshad pushed a commit to branch branch-3.5
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/branch-3.5 by this push:
new 457d7de ZOOKEEPER-1467: Make server principal configurable at client side.
457d7de is described below
commit 457d7dee925fddbed6114cd9d3686697057c5d42
Author: Sujith Simon <su...@huawei.com>
AuthorDate: Tue Oct 1 12:48:22 2019 +0530
ZOOKEEPER-1467: Make server principal configurable at client side.
Make server principal configurable at the client side
Author: sujithsimon22 <su...@huawei.com>
Reviewers: Mohammad Arshad <ar...@apache.org>, enixon, Enrico Olivelli <eo...@apache.org>
Closes #1104 from sujithsimon22/ZOOKEEPER-1467-3.5
---
.../src/main/resources/markdown/zookeeperProgrammers.md | 6 ++++++
.../main/java/org/apache/zookeeper/SaslServerPrincipal.java | 5 +++++
.../java/org/apache/zookeeper/client/ZKClientConfig.java | 3 +++
.../main/java/org/apache/zookeeper/util/SecurityUtils.java | 8 ++++++--
.../java/org/apache/zookeeper/ClientCanonicalizeTest.java | 13 +++++++++++++
5 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/zookeeper-docs/src/main/resources/markdown/zookeeperProgrammers.md b/zookeeper-docs/src/main/resources/markdown/zookeeperProgrammers.md
index addc796..0bd00b3 100644
--- a/zookeeper-docs/src/main/resources/markdown/zookeeperProgrammers.md
+++ b/zookeeper-docs/src/main/resources/markdown/zookeeperProgrammers.md
@@ -1205,6 +1205,12 @@ following reference
* *zookeeper.kinit* :
Specifies path to kinit binary. Default is "/usr/bin/kinit".
+* *zookeeper.server.principal* :
+ Specifies the server principal to be used by the client for authentication, while connecting to the zookeeper
+ server, when Kerberos authentication is enabled. A couple of ways to specify the server principal can be as
+ "zookeeper.server.principal = **zookeeper/zookeeper.apache.org@APACHE.ORG**" or
+ "zookeeper.server.principal = **zookeeper/zookeeper.apache.org**"
+
<a name="C+Binding"></a>
### C Binding
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java b/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java
index 2694f77..5213d9c 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java
@@ -46,6 +46,11 @@ public class SaslServerPrincipal {
* @return the name of the principal.
*/
static String getServerPrincipal(WrapperInetSocketAddress addr, ZKClientConfig clientConfig) {
+ String configuredServerPrincipal = clientConfig.getProperty(ZKClientConfig.ZOOKEEPER_SERVER_PRINCIPAL);
+ if (configuredServerPrincipal != null) {
+ // If server principal is already configured then return it
+ return configuredServerPrincipal;
+ }
String principalUserName = clientConfig.getProperty(ZKClientConfig.ZK_SASL_CLIENT_USERNAME,
ZKClientConfig.ZK_SASL_CLIENT_USERNAME_DEFAULT);
String hostName = addr.getHostName();
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java
index b2d214b..07ae65c 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java
@@ -60,6 +60,7 @@ public class ZKClientConfig extends ZKConfig {
public static final String SECURE_CLIENT = ZooKeeper.SECURE_CLIENT;
public static final int CLIENT_MAX_PACKET_LENGTH_DEFAULT = 4096 * 1024; /* 4 MB */
public static final String ZOOKEEPER_REQUEST_TIMEOUT = "zookeeper.request.timeout";
+ public static final String ZOOKEEPER_SERVER_PRINCIPAL = "zookeeper.server.principal";
/**
* Feature is disabled by default.
*/
@@ -85,6 +86,8 @@ public class ZKClientConfig extends ZKConfig {
private void initFromJavaSystemProperties() {
setProperty(ZOOKEEPER_REQUEST_TIMEOUT,
System.getProperty(ZOOKEEPER_REQUEST_TIMEOUT));
+ setProperty(ZOOKEEPER_SERVER_PRINCIPAL,
+ System.getProperty(ZOOKEEPER_SERVER_PRINCIPAL));
}
@Override
diff --git a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
index 67484e4..105d79e 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
@@ -112,8 +112,12 @@ public final class SecurityUtils {
// "zookeeper.server.realm" is set).
String serverRealm = System.getProperty("zookeeper.server.realm",
clientKerberosName.getRealm());
- KerberosName serviceKerberosName = new KerberosName(
- servicePrincipal + "@" + serverRealm);
+ String modifiedServerPrincipal = servicePrincipal;
+ // If service principal does not contain realm, then add it
+ if (!modifiedServerPrincipal.contains("@")) {
+ modifiedServerPrincipal = modifiedServerPrincipal + "@" + serverRealm;
+ }
+ KerberosName serviceKerberosName = new KerberosName(modifiedServerPrincipal);
final String serviceName = serviceKerberosName.getServiceName();
final String serviceHostname = serviceKerberosName.getHostName();
final String clientPrincipalName = clientKerberosName.toString();
diff --git a/zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java b/zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java
index 91dec23..e1238ef 100644
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/ClientCanonicalizeTest.java
@@ -18,6 +18,7 @@
package org.apache.zookeeper;
import java.io.IOException;
+import java.net.InetSocketAddress;
import org.apache.zookeeper.client.ZKClientConfig;
import org.junit.Assert;
import org.junit.Test;
@@ -73,4 +74,16 @@ public class ClientCanonicalizeTest extends ZKTestCase {
Assert.assertEquals("The computed principal does appear to have falled back to the original host name",
"zookeeper/zookeeper.apache.org", principal);
}
+
+ @Test
+ public void testGetServerPrincipalReturnConfiguredPrincipalName() {
+ ZKClientConfig config = new ZKClientConfig();
+ String configuredPrincipal = "zookeeper/zookeeper.apache.org@APACHE.ORG";
+ config.setProperty(ZKClientConfig.ZOOKEEPER_SERVER_PRINCIPAL, configuredPrincipal);
+
+ // Testing the case where server principal is configured, therefore InetSocketAddress is passed as null
+ String serverPrincipal = SaslServerPrincipal.getServerPrincipal((InetSocketAddress) null, config);
+ Assert.assertEquals(configuredPrincipal, serverPrincipal);
+ }
+
}