Table of Contents |
---|
Status
Current state: "Under DiscussionAccepted"
Discussion thread: here
JIRA: KAFKA-4292
...
- Name:
sasl.client.callback.handler.class
- Type:
CLASS
- Doc:A The fully qualified name of a Sasl client callback handler class that implements the
interface.org.apache.kafka.common.security.auth.
AuthenticateCallbackHandler - Default: null (by default, the appropriate internal default callback handlers for the mechanism will be used)
...
- Name:
sasl.server.callback.handler.class.map
- Type:
STRING
- Doc: A map between Sasl mechanisms and Sasl The fully qualified name of a SASL server callback handler classes class that implement implements the
AuthenticateCallbackHandler
interface. Key and value are separated by a colon and map entries are separated by commasThe config name must be prefixed by the listener prefix and mechanism name in lower case. For example, PLAIN:comlistener.
example.CustomPlainCallbackHandler,SCRAM-SHA-256:name.sasl_ssl.plain.sasl.server.callback.handler.class
=com.example.CustomScramCallbackHandlerCustomPlainCallbackHandler. - Default: null (by default, the appropriate internal default callback handlers for each mechanism will be used)
...
- Name:
sasl.login.class
- Type:
CLASS
- Doc: A class that implements the
org.apache.kafka.common.security.auth.Login
interfacetheorg.apache.kafka.common.security.auth.Login
interface. For brokers, the config name must be prefixed by the listener prefix and mechanism name in lower case. For example,listener.name.sasl_ssl.plain.sasl.login.class
=com.example.PlainServerLogin for brokers andsasl.login.class
=com.example.KerberosClientLogin for clients. - Default: null (by default, the internal class
KerberosLogin
will be used if Kerberos is enabled on the listener andDefaultLogin
otherwise)
Login callback handler class (for clients and brokers)
- Name:
sasl.login.callback.handler.class
- Type:
CLASS
- Doc: The fully qualified name of a Sasl login callback handler class that implements the
interface. For servers, the config name must be prefixed by the listener prefix and mechanism name in lower case. For example,org.apache.kafka.common.security.auth.
AuthenticateCallbackHandlerlistener.name.sasl_ssl.plain.sasl.login.callback.handler.class
=com.example.PlainLoginCallbackHandler for brokers andsasl.login.callback.handler.class
=com.example.PlainLoginCallbackHandler for clients. - Default: null (by default, the internal class
KerberosLogin
AbstractLogin.DefaultLoginCallbackHandler
will be used if Kerberos is enabled on the listener andDefaultLogin
otherwise)).
Callback Handler
The callback handler interface AuthenticateCallbackHandler
will extend the standard javax.security.auth.callback.CallbackHandler
interface, enabling the handler to be passed directly to SaslServer/SaslClient
implementations. The callback handler configured for a mechanism must include the callbacks as described below:
...
Code Block | ||||
---|---|---|---|---|
| ||||
package org.apache.kafka.common.security.auth;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
/**
* Login interface for authentication.
*/
public interface Login {
/**
* Configures this login instance.
*/
void configure(Map<String, ?> configs, String contextName, Configuration configuration,
AuthenticateCallbackHandler loginCallbackHandler);
/**
* Performs login for each login module specified for the login context of this instance.
*/
LoginContext login() throws LoginException;
/**
* Returns the authenticated subject of this login context.
*/
Subject subject();
/**
* Returns the service name to be used for SASL.
*/
String serviceName();
/**
* Closes this instance.
*/
void close();
} |
...
Define a new class that implements AuthenticateCallbackHandler
which handles NameCallback
and PlainAuthenticateCallback
and add the class to the broker's sasl.server.callback.handler.class.map
property. A single instance of this callback handler will be created for the broker. The configured callback handler is responsible for validating the password provided by clients and this may use an external authentication server.
...
If a custom SaslServer implementation is used instead of the one included in Kafka, the custom implementation may require a different set of callbacks. A callback handler for these callbacks may be specified in sasl.server.callback.handler.class.map
.
Configure a new mechanism not included in Kafka using custom SaslServer/SaslClient
A handler that handles any callbacks required for these server/client implementations may be specified in sasl.server.callback.handler.class .map
and
for brokers and clients respectively.sasl.client.callback.handler.class
...
KIP-103 introduced support for multiple listeners in the broker for the same security protocol. This allows brokers to configure different SASL mechanisms for internal and external traffic. The listener name prefix can be applied to sasl.server.callback.handler.class.map
to define different callback handlers for each of the listeners.
...