THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
package org.apache.kafka.common.security.oauthbearer.refresh;
import javax.security.auth.spi.LoginModule;
/**
* An extension of the {@code LoginModule} interface that must be implemented by
* any login module that generates an instance of {@link ExpiringCredential} to
* be managed/refreshed by {@link ExpiringCredentialRefreshingLogin}. The
* existence of this interface is necessary to deal with the case when there are
* multiple enabled SASL mechanisms, one or more of which generate an expiring
* credential, and a SASL mechanism (as opposed to authentication via SSL) is
* used for inter-broker communication.
* <p>
* The following broker-side JAAS configuration helps illustrate the need for
* this interface:
*
* <pre>
* KafkaServer {
* org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule Required
* // etc...;
* some.othersaslmechanism.OtherSaslMechanismLoginModule Optional
* // etc...;
* };
* </pre>
*
* The {@code LoginContext} instance will initialize both login modules and ask
* them both to login -- that's how JAAS works -- regardless of which SASL
* mechanism is used for inter-broker communication. It is imperative that the
* login succeeds for the login module associated with the mechanism configured
* for inter-broker communication; it doesn't matter if any other mechanisms
* fail because they aren't actually being used for client-side work (they are
* only being used for the server side of the SASL handshake, and that is
* performed by the {@code SaslServer} instance rather than the
* {@code LoginModule} instance). This has 2 implications:
* <p>
* <ol>
* <li>The {@code CallbackHandler} instance provided to the {@code LoginContext}
* instance (which then passes it to all of the login modules) must be the
* correct one for the login module that must succeed; it does not have to be
* the correct one for any others.
* <li>The login modules that don't have to succeed (because they aren't being
* used for inter-broker communication) should be marked {@code Optional} in
* case they fail.
* </ol>
* <p>
* This raises the critical issue of how any instance of {@link Login} can know
* which {@code CallbackHandler} instance to instantiate. The
* {@link ScramLoginModule} and {@link PlainLoginModule} don't use the callback
* handler, but {@code com.sun.security.auth.module.Krb5LoginModule} does, and
* in fact {@link LoginCallbackHandler} serves the purpose of short-circuiting
* any request for user interaction in that case. So this issue hasn't been
* critical in the past; it is only now becoming more important.
* <p>
* All the {@code Login} instance knows is the SASL mechanism enabled for
* inter-broker communication (from the broker config) and the JAAS
* configuration (for example, the one shown above). It cannot know which
* {@code CallbackHandler} instance to instantiate from just that information
* because it cannot determine from that information alone which of the login
* modules handles the declared inter-broker communication mechanism.
* <p>
* We thus arrive at the need for this interface. A {@code Login} instance can
* look at all of the declared login module classes, determine which of them
* implements this interface, and then for each of those it can instantiate an
* instance using the default constructor and ask for its applicable mechanisms
* via {@link #mechanisms()}. If it finds a login module with an applicable SASL
* mechanism matching the one being used for inter-broker communication it can
* then ask for a {@code CallbackHandler} instance via
* {@link #newCallbackHandler()}. Otherwise, if it doesn't find a match, it just
* instantiates an instance of {@link LoginCallbackHandler}, which is what
* {@link AbstractLogin#login()} currently creates and is required for the initial
* initial Kerberos login attempt for short-circuit behavior as mentioned above.
*/
public interface ExpiringCredentialLoginModule extends LoginModule {
/**
* Return the set of SASL mechanisms this login module applies to
*
* @return the set of SASL mechanisms this login module applies to
*/
Set<String> mechanisms();
/**
* Return a new {@code CallbackHandler} instance appropriate for this login
* module when one of its supported mechanisms as returned by
* {@link #mechanisms()} is the SASL mechanism for inter-broker communication.
*
* @return a new {@code CallbackHandler} instance appropriate for this login
* module when one of its supported mechanisms as returned by
* {@link #mechanisms()} is the SASL mechanism for inter-broker
* communication.
*/
CallbackHandler newCallbackHandler();
} |
...