Versions Compared

Old Version 20

changes.mady.by.user Rajini Sivaram

Saved on

compared with

New Version Current

changes.mady.by.user Rajini Sivaram

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents


Status

Current state: "Under DiscussionAccepted"

Discussion thread: here

JIRA: KAFKA-4292

...

  • Name: sasl.server.callback.handler.class
  • Type: STRING
  • Doc: The fully qualified name of a SASL server callback handler class that implements the AuthenticateCallbackHandler interface. The config name must be prefixed by the listener prefix and mechanism name in lower case. If multiple listeners are enabled, the config may be prefixed with the listener prefix. For example, listener.name.sasl_ssl.plain.sasl.server.callback.handler.class=com.example.CustomPlainCallbackHandler or scram-sha-256.sasl.server.callback.handler.class=com.example.CustomScramCallbackHandler.
  • Default: null (by default, the appropriate internal default callback handlers for each mechanism will be used)

...

  • Name: sasl.login.class
  • Type: CLASS
  • Doc: A class that implements the org.apache.kafka.common.security.auth.Login interface. For brokers, the config name must be prefixed by the listener prefix and mechanism name in lower case and may also be prefixed with listener name. For example, listener.name.sasl_ssl.plain.sasl.login.class=com.example.PlainServerLogin for brokers and sasl.login.class=com.example.KerberosClientLogin for clients.
  • Default: null (by default, the internal class KerberosLogin will be used if Kerberos is enabled on the listener and DefaultLogin otherwise)

 Login callback handler class (for clients and brokers)

  • Name: sasl.login.callback.handler.class
  • Type: CLASS
  • Doc: The fully qualified name of a Sasl login callback handler class that implements the org.apache.kafka.common.security.auth.AuthenticateCallbackHandler interface. For servers, the config name must be prefixed by the listener prefix and mechanism name in lower case. For example, listener.name.sasl_ssl.plain.sasl.login.class=comcallback.example.PlainServerLogin or scram-sha-256.sasl.login.handler.class=com.example.ScramServerLogin PlainLoginCallbackHandler for brokers and sasl.login.callback.handler.class=com.example.KerberosClientLoginPlainLoginCallbackHandler for clients.
  • Default: null (by default, the internal class KerberosLogin AbstractLogin.DefaultLoginCallbackHandler will be used if Kerberos is enabled on the listener and DefaultLogin otherwise)).

Callback Handler

The callback handler interface AuthenticateCallbackHandler will extend the standard javax.security.auth.callback.CallbackHandler interface, enabling the handler to be passed directly to SaslServer/SaslClient implementations. The callback handler configured for a mechanism must include the callbacks as described below:

...

Code Block
languagejava
titleorg.apache.kafka.common.security.auth.Login
package org.apache.kafka.common.security.auth;

import java.util.Map;

import javax.security.auth.Subject;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

/**
 * Login interface for authentication.
 */
public interface Login {

    /**
     * Configures this login instance.
     */
    void configure(Map<String, ?> configs, String contextName, Configuration configuration,
                   AuthenticateCallbackHandler loginCallbackHandler);

    /**
     * Performs login for each login module specified for the login context of this instance.
     */
    LoginContext login() throws LoginException;

    /**
     * Returns the authenticated subject of this login context.
     */
    Subject subject();

    /**
     * Returns the service name to be used for SASL.
     */
    String serviceName();

    /**
     * Closes this instance.
     */
    void close();
}

...