THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
package org.apache.kafka.common.security.oauthbearer.refresh; import javax.security.auth.spi.LoginModule; /** * An extension of the {@code LoginModule} interface that must be implemented by * any login module that generates an instance of {@link ExpiringCredential} to * be managed/refreshed by {@link ExpiringCredentialRefreshingLogin}. The * existence of this interface is necessary to deal with the case when there are * multiple enabled SASL mechanisms, one or more of which generate an expiring * credential, and a SASL mechanism (as opposed to authentication via SSL) is * used for inter-broker communication. * <p> * The following broker-side JAAS configuration helps illustrate the need for * this interface: * * <pre> * KafkaServer { * org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule Required * // etc...; * some.othersaslmechanism.OtherSaslMechanismLoginModule Optional * // etc...; * }; * </pre> * * The {@code LoginContext} instance will initialize both login modules and ask * them both to login -- that's how JAAS works -- regardless of which SASL * mechanism is used for inter-broker communication. It is imperative that the * login succeeds for the login module associated with the mechanism configured * for inter-broker communication; it doesn't matter if any other mechanisms * fail because they aren't actually being used for client-side work (they are * only being used for the server side of the SASL handshake, and that is * performed by the {@code SaslServer} instance rather than the * {@code LoginModule} instance). This has 2 implications: * <p> * <ol> * <li>The {@code CallbackHandler} instance provided to the {@code LoginContext} * instance (which then passes it to all of the login modules) must be the * correct one for the login module that must succeed; it does not have to be * the correct one for any others. * <li>The login modules that don't have to succeed (because they aren't being * used for inter-broker communication) should be marked {@code Optional} in * case they fail. * </ol> * <p> * This raises the critical issue of how any instance of {@link Login} can know * which {@code CallbackHandler} instance to instantiate. The * {@link ScramLoginModule} and {@link PlainLoginModule} don't use the callback * handler, but {@code com.sun.security.auth.module.Krb5LoginModule} does, and * in fact {@link LoginCallbackHandler} serves the purpose of short-circuiting * any request for user interaction in that case. So this issue hasn't been * critical in the past; it is only now becoming more important. * <p> * All the {@code Login} instance knows is the SASL mechanism enabled for * inter-broker communication (from the broker config) and the JAAS * configuration (for example, the one shown above). It cannot know which * {@code CallbackHandler} instance to instantiate from just that information * because it cannot determine from that information alone which of the login * modules handles the declared inter-broker communication mechanism. * <p> * We thus arrive at the need for this interface. A {@code Login} instance can * look at all of the declared login module classes, determine which of them * implements this interface, and then for each of those it can instantiate an * instance using the default constructor and ask for its applicable mechanisms * via {@link #mechanisms()}. If it finds a login module with an applicable SASL * mechanism matching the one being used for inter-broker communication it can * then ask for a {@code CallbackHandler} instance via * {@link #newCallbackHandler()}. Otherwise, if it doesn't find a match, it just * instantiates an instance of {@link LoginCallbackHandler}, which is what * {@link AbstractLogin#login()} currently creates and is required for the initial * initial Kerberos login attempt for short-circuit behavior as mentioned above. */ public interface ExpiringCredentialLoginModule extends LoginModule { /** * Return the set of SASL mechanisms this login module applies to * * @return the set of SASL mechanisms this login module applies to */ Set<String> mechanisms(); /** * Return a new {@code CallbackHandler} instance appropriate for this login * module when one of its supported mechanisms as returned by * {@link #mechanisms()} is the SASL mechanism for inter-broker communication. * * @return a new {@code CallbackHandler} instance appropriate for this login * module when one of its supported mechanisms as returned by * {@link #mechanisms()} is the SASL mechanism for inter-broker * communication. */ CallbackHandler newCallbackHandler(); } |
...