KAFKA-5764: Add toLowerCase support to sasl.kerberos.principal.to.local rule #3800
Conversation
|
retest this please |
|
cc @hachikuji @ijuma pinging for review |
omkreddy
force-pushed
the
KAFKA-5764-REGEX
branch
from
b155f3f
to
fa2666b
Compare
|
@omkreddy Thanks for the patch. Looks like a good improvement, but I think we might need a short KIP since it changes a public API. |
omkreddy
force-pushed
the
KAFKA-5764-REGEX
branch
from
fa2666b
to
9a3e2c6
Compare
|
@hachikuji @ijuma Can you take a look at this minor KIP-203? KIP vote thread is waiting for couple of more votes. |
|
retest this please |
|
@omkreddy Voted. I'll see if I can get one more vote for you as well. |
|
@hachikuji whenever you get a chance, Please review the PR |
| @@ -33,7 +33,7 @@ | |||
| /** | |||
| * A pattern for parsing a auth_to_local rule. | |||
| */ | |||
| private static final Pattern RULE_PARSER = Pattern.compile("((DEFAULT)|(RULE:\\[(\\d*):([^\\]]*)](\\(([^)]*)\\))?(s/([^/]*)/([^/]*)/(g)?)?))"); | |||
| private static final Pattern RULE_PARSER = Pattern.compile("((DEFAULT)|(RULE:\\[(\\d*):([^\\]]*)](\\(([^)]*)\\))?(s/([^/]*)/([^/]*)/(g)?)?))/?(L)?"); | |||
There was a problem hiding this comment.
Seems like "DEFAULT/L" is a valid input. Is that intentional?
There was a problem hiding this comment.
it is not intentional, but i was not using "/L" in this case. Updated the regex to treat "DEFAULT/L" as invalid input.
docs/security.html
Outdated
| RULE:[n:string](regexp)s/pattern/replacement/ | ||
| RULE:[n:string](regexp)s/pattern/replacement/g | ||
| RULE:[n:string](regexp)s/pattern/replacement//L | ||
| RULE:[n:string](regexp)s/pattern/replacement/g/L</pre> |
There was a problem hiding this comment.
nit: move the end tag to the next line.
docs/security.html
Outdated
| The format of <code>sasl.kerberos.principal.to.local.rules</code> is a list where each rule works in the same way as the auth_to_local in <a href="http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html">Kerberos configuration file (krb5.conf)</a>. Each rules starts with RULE: and contains an expression in the format [n:string](regexp)s/pattern/replacement/g. See the kerberos documentation for more details. An example of adding a rule to properly translate user@MYDOMAIN.COM to user while also keeping the default rule in place is: | ||
| By default, the SASL user name will be the primary part of the Kerberos principal. One can change that by setting <code>sasl.kerberos.principal.to.local.rules</code> to a customized rule in broker.properties. | ||
| The format of <code>sasl.kerberos.principal.to.local.rules</code> is a list where each rule works in the same way as the auth_to_local in <a href="http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html">Kerberos configuration file (krb5.conf)</a>. This also support additional lowercase rule, to force the translated result to be all lower case. This is done by adding a "/L" to the end of the rule. check below formats for syntax. | ||
| Each rules starts with RULE: and contains an expression as the following formats. See the kerberos documentation for more details. |
There was a problem hiding this comment.
Great to have some examples in our docs 👍 . Do you think it's worth explaining each case in a little more detail?
There was a problem hiding this comment.
There are few articles available on web explaining these rules. so I felt not to repeat in our docs.
| @@ -182,6 +189,9 @@ String apply(String[] params) throws IOException { | |||
| if (result != null && NON_SIMPLE_PATTERN.matcher(result).find()) { | |||
| throw new NoMatchingRule("Non-simple name " + result + " after auth_to_local rule " + this); | |||
| } | |||
| if (toLowerCase && result != null) { | |||
| result = result.toLowerCase(Locale.ENGLISH); | |||
There was a problem hiding this comment.
Do you know the range of characters permitted in kerberos names?
There was a problem hiding this comment.
I am not sure about the character range. I felt it is safe to set EN locale. Hadoop implementation is also using EN locale.
@rajinisivaram any thoughts here?
omkreddy
force-pushed
the
KAFKA-5764-REGEX
branch
from
9a3e2c6
to
2ac957f
Compare
|
retest this please |
|
@hachikuji pinging for review |
| @@ -55,4 +55,33 @@ public void testParse() throws IOException { | |||
| assertEquals("REALM.COM", name.realm()); | |||
| assertEquals("user", shortNamer.shortName(name)); | |||
| } | |||
|
|
|||
| @Test | |||
| public void testToLowerCase() throws Exception { | |||
There was a problem hiding this comment.
Do we have any test cases which validate the behavior for invalid rules?
There was a problem hiding this comment.
@hachikuji Thanks for the review. Added a simple test case for invalid rules. Pls take a look.
…al rule (KIP-203) Author: Manikumar Reddy <manikumar.reddy@gmail.com> Reviewers: Jason Gustafson <jason@confluent.io> Closes apache#3800 from omkreddy/KAFKA-5764-REGEX
|
This is useful, can we backport this fix to Kafka 1.0? If yes, I have a PR for this: #5260 |
|
@umaanbazhagan Currently Kafka 1.0.2 Release vote is going on. I am not sure if we can include this now. You can post your query on vote thread. |
Committer Checklist (excluded from commit message)