diff options
Diffstat (limited to 'src/main/java/org/onap/dmaap/kafkaAuthorize')
4 files changed, 546 insertions, 0 deletions
diff --git a/src/main/java/org/onap/dmaap/kafkaAuthorize/KafkaCustomAuthorizer.java b/src/main/java/org/onap/dmaap/kafkaAuthorize/KafkaCustomAuthorizer.java new file mode 100644 index 0000000..4ad10e8 --- /dev/null +++ b/src/main/java/org/onap/dmaap/kafkaAuthorize/KafkaCustomAuthorizer.java @@ -0,0 +1,233 @@ +/******************************************************************************* + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modification copyright (C) 2021 Nordix Foundation. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 +* + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + * + *******************************************************************************/ +package org.onap.dmaap.kafkaAuthorize; + +import java.util.EnumSet; +import java.util.Map; + +import org.apache.kafka.common.acl.AclOperation; +import org.apache.kafka.common.security.auth.KafkaPrincipal; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import org.onap.dmaap.commonauth.kafka.base.authorization.AuthorizationProviderFactory; +import org.onap.dmaap.commonauth.kafka.base.authorization.Cadi3AAFProvider; + +import kafka.network.RequestChannel.Session; +import kafka.security.auth.Acl; +import kafka.security.auth.Authorizer; +import kafka.security.auth.Operation; +import kafka.security.auth.Resource; +import scala.collection.immutable.Set; + +/** + * A trivial Kafka Authorizer for use with SSL and AAF + * Authentication/Authorization. + * + */ +public class KafkaCustomAuthorizer implements Authorizer { + + private final String[] adminPermission = new String[3]; + protected static final EnumSet<AclOperation> TOPIC_DESCRIBE_OPERATIONS = EnumSet.of(AclOperation.DESCRIBE_CONFIGS); + protected static final EnumSet<AclOperation> TOPIC_READ_WRITE_DESCRIBE_OPERATIONS = EnumSet.of(AclOperation.WRITE, + AclOperation.READ, AclOperation.DESCRIBE_CONFIGS); + protected static final EnumSet<AclOperation> TOPIC_ADMIN_OPERATIONS = EnumSet.of(AclOperation.ALTER, + AclOperation.ALTER_CONFIGS, AclOperation.CREATE); + static final String TOPIC = "Topic"; + + private static final Logger logger = LoggerFactory.getLogger(KafkaCustomAuthorizer.class); + + @Override + public void configure(final Map<String, ?> arg0) { + // TODO Auto-generate method stub + } + + @Override + public void addAcls(final Set<Acl> arg0, final Resource arg1) { + // TODO Auto-generated method stub + + } + + private String[] getTopicPermission(String topicName, AclOperation aclOperation) { + + String namspace = topicName.substring(0, topicName.lastIndexOf(".")); + String[] permission = new String[3]; + if (TOPIC_READ_WRITE_DESCRIBE_OPERATIONS.contains(aclOperation)) { + permission[0] = namspace + ".topic"; + String instancePart = (System.getenv("pubSubInstPart") != null) ? System.getenv("pubSubInstPart") + : ".topic"; + permission[1] = instancePart + topicName; + + if (aclOperation.equals(AclOperation.WRITE)) { + permission[2] = "pub"; + } else if (aclOperation.equals(AclOperation.READ)) { + permission[2] = "sub"; + + } else if (TOPIC_DESCRIBE_OPERATIONS.contains(aclOperation)) { + permission[2] = "view"; + + } + } else if (aclOperation.equals(AclOperation.DELETE)) { + permission = (System.getProperty("msgRtr.topicfactory.aaf") + namspace + "|destroy").split("\\|"); + + } else if (TOPIC_ADMIN_OPERATIONS.contains(aclOperation)) { + permission = (System.getProperty("msgRtr.topicfactory.aaf") + namspace + "|create").split("\\|"); + } + + return permission; + } + + private String[] getAdminPermission() { + + if (adminPermission[0] == null) { + adminPermission[0] = System.getProperty("namespace") + ".kafka.access"; + adminPermission[1] = "*"; + adminPermission[2] = "*"; + } + + return adminPermission; + } + + private String[] getPermission(AclOperation aclOperation, String resource, String topicName) { + String[] permission = new String[3]; + switch (aclOperation) { + + case ALTER: + case ALTER_CONFIGS: + case CREATE: + case DELETE: + if (resource.equals(TOPIC)) { + permission = getTopicPermission(topicName, aclOperation); + } else if (resource.equals("Cluster")) { + permission = getAdminPermission(); + } + break; + case DESCRIBE_CONFIGS: + case READ: + case WRITE: + if (resource.equals(TOPIC)) { + permission = getTopicPermission(topicName, aclOperation); + } + break; + case IDEMPOTENT_WRITE: + if (resource.equals("Cluster")) { + permission = getAdminPermission(); + } + break; + default: + break; + + } + return permission; + + } + + @Override + public boolean authorize(final Session arg0, final Operation arg1, final Resource arg2) { + if (arg0.principal() == null) { + return false; + } + + String fullName = arg0.principal().getName(); + fullName = fullName != null ? fullName.trim() : fullName; + String topicName = null; + String[] permission; + + String resource = arg2.resourceType().name(); + + if (resource.equals(TOPIC)) { + topicName = arg2.name(); + } + + if (fullName != null && fullName.equals(Cadi3AAFProvider.getKafkaUsername())) { + return true; + } + + if ((!Cadi3AAFProvider.isCadiEnabled())||(null != topicName && !topicName.startsWith("org.onap"))) { + return true; + } + + permission = getPermission(arg1.toJava(), resource, topicName); + + if (permission[0] != null) { + return !checkPermissions(fullName, topicName, permission); + } + return true; + } + + private boolean checkPermissions(String fullName, String topicName, String[] permission) { + try { + + if (null != topicName) { + boolean hasResp = AuthorizationProviderFactory.getProviderFactory().getProvider() + .hasPermission(fullName, permission[0], permission[1], permission[2]); + if (hasResp) { + logger.info("Successful Authorization for {} on {} for {} | {} | {}", fullName, topicName, + permission[0], permission[1], permission[2]); + } + if (!hasResp) { + logger.info("{} is not allowed in {} | {} | {}", fullName, permission[0], permission[1], + permission[2]); + return true; + } + } + } catch (final Exception e) { + return true; + } + return false; + } + + @Override + public void close() { + // TODO Auto-generated method stub + + } + + @Override + public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() { + // TODO Auto-generated method stub + return null; + } + + @Override + public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(final KafkaPrincipal arg0) { + // TODO Auto-generated method stub + return null; + } + + @Override + public boolean removeAcls(final Resource arg0) { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean removeAcls(final Set<Acl> arg0, final Resource arg1) { + // TODO Auto-generated method stub + return false; + } + + public Set<Acl> getAcls(Resource arg0) { + // TODO Auto-generated method stub + return null; + } +} diff --git a/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainLoginModule1.java b/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainLoginModule1.java new file mode 100644 index 0000000..af5aa8f --- /dev/null +++ b/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainLoginModule1.java @@ -0,0 +1,68 @@ +/******************************************************************************* + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modification copyright (C) 2021 Nordix Foundation. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 +* + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + * + *******************************************************************************/ +package org.onap.dmaap.kafkaAuthorize; + +import java.util.Map; +import javax.security.auth.Subject; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.spi.LoginModule; + +public class PlainLoginModule1 implements LoginModule { + + private static final String USERNAME_CONFIG = "username"; + private static final String PASSWORD_CONFIG = "password"; + + static { + PlainSaslServerProvider1.initialize(); + } + + @Override + public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) { + String username = (String) options.get(USERNAME_CONFIG); + if (username != null) + subject.getPublicCredentials().add(username); + String password = (String) options.get(PASSWORD_CONFIG); + if (password != null) + subject.getPrivateCredentials().add(password); + + } + + @Override + public boolean login() { + return true; + } + + @Override + public boolean logout() { + return true; + } + + @Override + public boolean commit() { + return true; + } + + @Override + public boolean abort() { + return false; + } +} diff --git a/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainSaslServer1.java b/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainSaslServer1.java new file mode 100644 index 0000000..7a9bede --- /dev/null +++ b/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainSaslServer1.java @@ -0,0 +1,203 @@ +/****************************************************************************** + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modification copyright (C) 2021 Nordix Foundation. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 +* + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + * + *******************************************************************************/ +package org.onap.dmaap.kafkaAuthorize; + +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import java.util.Map; +import javax.security.auth.callback.CallbackHandler; +import javax.security.sasl.Sasl; +import javax.security.sasl.SaslException; +import javax.security.sasl.SaslServer; +import javax.security.sasl.SaslServerFactory; +import org.apache.kafka.common.errors.SaslAuthenticationException; +import org.onap.dmaap.commonauth.kafka.base.authorization.AuthorizationProviderFactory; + +/** + * Simple SaslServer implementation for SASL/PLAIN. In order to make this + * implementation fully pluggable, authentication of username/password is fully + * contained within the server implementation. + * <p> + * Valid users with passwords are specified in the Jaas configuration file. Each + * user is specified with user_<username> as key and <password> as value. This + * is consistent with Zookeeper Digest-MD5 implementation. + * <p> + * To avoid storing clear passwords on disk or to integrate with external + * authentication servers in production systems, this module can be replaced + * with a different implementation. + * + */ +public class PlainSaslServer1 implements SaslServer { + + public static final String PLAIN_MECHANISM = "PLAIN"; + + private boolean complete; + private String authorizationId; + private static final String AUTH_EXC_NOT_COMPLETE = "Authentication exchange has not completed"; + + + /** + * @throws SaslAuthenticationException if username/password combination is invalid or if the requested + * authorization id is not the same as username. + * <p> + * <b>Note:</b> This method may throw {@link SaslAuthenticationException} to provide custom error messages + * to clients. But care should be taken to avoid including any information in the exception message that + * should not be leaked to unauthenticated clients. It may be safer to throw {@link SaslException} in + * some cases so that a standard error message is returned to clients. + * </p> + */ + @Override + public byte[] evaluateResponse(byte[] responseBytes) throws SaslAuthenticationException { + /* + * Message format (from https://tools.ietf.org/html/rfc4616): + * + * message = [authzid] UTF8NUL authcid UTF8NUL passwd + * authcid = 1*SAFE ; MUST accept up to 255 octets + * authzid = 1*SAFE ; MUST accept up to 255 octets + * passwd = 1*SAFE ; MUST accept up to 255 octets + * UTF8NUL = %x00 ; UTF-8 encoded NUL character + * + * SAFE = UTF1 / UTF2 / UTF3 / UTF4 + * ;; any UTF-8 encoded Unicode character except NUL + */ + String response = new String(responseBytes, StandardCharsets.UTF_8); + List<String> tokens = extractTokens(response); + String authorizationIdFromClient = tokens.get(0); + String username = tokens.get(1); + String password = tokens.get(2); + + if (username.isEmpty()) { + throw new SaslAuthenticationException("Authentication failed: username not specified"); + } + if (password.isEmpty()) { + throw new SaslAuthenticationException("Authentication failed: password not specified"); + } + + String aafResponse = "Not Verified"; + try { + aafResponse = AuthorizationProviderFactory.getProviderFactory().getProvider().authenticate(username, + password); + } catch (Exception ignored) { + throw new SaslAuthenticationException("Authentication failed: " + aafResponse + " User " + username); + } + if (null != aafResponse) { + throw new SaslAuthenticationException("Authentication failed: " + aafResponse + " User " + username); + } + + if (!authorizationIdFromClient.isEmpty() && !authorizationIdFromClient.equals(username)) + throw new SaslAuthenticationException("Authentication failed: Client requested an authorization id that is different from username"); + + this.authorizationId = username; + + complete = true; + return new byte[0]; + } + + private List<String> extractTokens(String string) { + List<String> tokens = new ArrayList<>(); + int startIndex = 0; + for (int i = 0; i < 4; ++i) { + int endIndex = string.indexOf("\u0000", startIndex); + if (endIndex == -1) { + tokens.add(string.substring(startIndex)); + break; + } + tokens.add(string.substring(startIndex, endIndex)); + startIndex = endIndex + 1; + } + + if (tokens.size() != 3) + throw new SaslAuthenticationException("Invalid SASL/PLAIN response: expected 3 tokens, got " + + tokens.size()); + + return tokens; + } + + @Override + public String getAuthorizationID() { + if (!complete) + throw new IllegalStateException(AUTH_EXC_NOT_COMPLETE); + return authorizationId; + } + + @Override + public String getMechanismName() { + return PLAIN_MECHANISM; + } + + @Override + public Object getNegotiatedProperty(String propName) { + if (!complete) + throw new IllegalStateException(AUTH_EXC_NOT_COMPLETE); + return null; + } + + @Override + public boolean isComplete() { + return complete; + } + + @Override + public byte[] unwrap(byte[] incoming, int offset, int len) { + if (!complete) + throw new IllegalStateException(AUTH_EXC_NOT_COMPLETE); + return Arrays.copyOfRange(incoming, offset, offset + len); + } + + @Override + public byte[] wrap(byte[] outgoing, int offset, int len) { + if (!complete) + throw new IllegalStateException(AUTH_EXC_NOT_COMPLETE); + return Arrays.copyOfRange(outgoing, offset, offset + len); + } + + @Override + public void dispose() { + // TODO Auto-generate method stub + } + + public static class PlainSaslServerFactory1 implements SaslServerFactory { + + @Override + public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh) + throws SaslException { + + if (!PLAIN_MECHANISM.equals(mechanism)) + throw new SaslException(String.format("Mechanism '%s' is not supported. Only PLAIN is supported.", mechanism)); + + return new PlainSaslServer1(); + } + + @Override + public String[] getMechanismNames(Map<String, ?> props) { + if (props == null) return new String[]{PLAIN_MECHANISM}; + String noPlainText = (String) props.get(Sasl.POLICY_NOPLAINTEXT); + if ("true".equals(noPlainText)) + return new String[]{}; + else + return new String[]{PLAIN_MECHANISM}; + } + } +} + diff --git a/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainSaslServerProvider1.java b/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainSaslServerProvider1.java new file mode 100644 index 0000000..37b408e --- /dev/null +++ b/src/main/java/org/onap/dmaap/kafkaAuthorize/PlainSaslServerProvider1.java @@ -0,0 +1,42 @@ +/******************************************************************************* + * ============LICENSE_START======================================================= + * org.onap.dmaap + * ================================================================================ + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * Modification copyright (C) 2021 Nordix Foundation. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 +* + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + * + * + *******************************************************************************/ +package org.onap.dmaap.kafkaAuthorize; + +import java.security.Provider; +import java.security.Security; + +import org.onap.dmaap.kafkaAuthorize.PlainSaslServer1.PlainSaslServerFactory1; + +public class PlainSaslServerProvider1 extends Provider { + + private static final long serialVersionUID = 1L; + + protected PlainSaslServerProvider1() { + super("Simple SASL/PLAIN Server Provider", 1.0, "Simple SASL/PLAIN Server Provider for Kafka"); + super.put("SaslServerFactory." + PlainSaslServer1.PLAIN_MECHANISM, PlainSaslServerFactory1.class.getName()); + } + + public static void initialize() { + Security.insertProviderAt(new PlainSaslServerProvider1(),1); + } +} + |