THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
See Rejected Alternatives: Callback Handlers and Callbacks
We define the abstract base class org.apache.kafka.common.security.oauthbearer.OAuthBearerCallbackHandler as the base class for all callback handlers related to SASL/OAUTHBEARER. We define the org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallback class as the callback class for communicating that we want to retrieve a token, and we define the org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback class as the callback class for communicating that we want to validate a token compact serialization value.
...
The third callback handler defines the validation mechanism that the SASL Server uses to validate an OAuth 2 bearer token. This callback handler must be set via the listener.name.sasl_ssl.oauthbearer.sasl.server.callback.handler.class broker configuration property, and it must recognize OAuthBearerValidatorCallback. The implementation we provide is the org.apache.kafka.common.security.oauthbearer.OAuthBearerUnsecuredValidatorCallbackHandler unsecured JWT validator. It accepts JAAS options as described in the below Javadoc, and it exists both to provide a way to test the overall SASL/OAUTHBEARER feature set as well as to provide an out-of-the-box implementation for users. An alternative callback handler must be written for production use.
The validated token will be available as a negotiated property on the SASL Server instance with the key OAUTHBEARER.token so it can be used for authorization as per KIP-189. Note that the implementation of the SASL Server itself is not part of the public interface – just the key where it makes the validated token available.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
package org.apache.kafka.common.security.oauthbearer;
/**
* Base class for all SASL/OAUTHBEARER callback handlers. It is a requirement
* that SASL/OAUTHBEARER is the only SASL mechanism configuration presented to
* the code. Specifically, multiple SASL mechanisms configured via the same JAAS
* configuration is not supported; use dynamic configuration via the
* {@code sasl.jaas.config} property as described in <a href-=
* "https://cwiki.apache.org/confluence/display/KAFKA/KIP-226+-+Dynamic+Broker+Configuration">KIP-226</a>
* to meet this constraint if necessary.
*/
public abstract class OAuthBearerCallbackHandler implements AuthenticateCallbackHandler {
private Map<String, ?> serverConfig = null;
private String mechanism = null;
private AppConfigurationEntry jaasConfigEntry = null;
private SubstitutableValues substitutableValues = null;
/**
* Return the server configuration provided during
* {@link #configure(Map, String, List)}, if any, otherwise null
*
* @return the server configuration provided during
* {@link #configure(Map, String, List)}, if any, otherwise null
*/
public Map<String, ?> serverConfig() {
return serverConfig;
}
/**
* Return the SASL mechanism provided during
* {@link #configure(Map, String, List)}, if any, otherwise null
*
* @return the SASL mechanism provided during
* {@link #configure(Map, String, List)}, if any, otherwise null
*/
public String mechanism() {
return mechanism;
}
/**
* Return the JAAS login module configuration provided during
* {@link #configure(Map, String, List)}, if any, otherwise null.
*
* @return the JAAS login module configuration provided during
* {@link #configure(Map, String, List)}, if any, otherwise null
*/
public AppConfigurationEntry jaasConfigEntry() {
return jaasConfigEntry;
}
/**
* Return the substitutableValues as determined via
* {@link #configure(Map, String, List)}
*
* @return the substitutableValues as determined via
* {@link #configure(Map, String, List)}
*/
public SubstitutableValues substitutableValues() {
return substitutableValues;
}
// etc...
} |
...