io.streamnative.pulsar.handlers.kop.security.SslAuthenticator Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of pulsar-protocol-handler-kafka Show documentation
Show all versions of pulsar-protocol-handler-kafka Show documentation
Kafka on Pulsar implemented using Pulsar Protocol Handler
/**
* Copyright (c) 2019 - 2024 StreamNative, Inc.. All Rights Reserved.
*/
/**
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.streamnative.pulsar.handlers.kop.security;
import io.netty.buffer.ByteBuf;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.Future;
import io.streamnative.pulsar.handlers.kop.KafkaProtocolHandler;
import io.streamnative.pulsar.handlers.kop.KafkaServiceConfiguration;
import java.net.SocketAddress;
import java.util.concurrent.ExecutionException;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Function;
import javax.net.ssl.SSLSession;
import org.apache.kafka.common.errors.AuthenticationException;
import org.apache.kafka.common.protocol.ApiKeys;
import org.apache.pulsar.broker.authentication.AuthenticationProvider;
import org.apache.pulsar.broker.authentication.AuthenticationState;
import org.apache.pulsar.common.api.AuthData;
/**
* Note that client SSL authentication is handled in SslHandler.
* This class is only used to pass the session information to authorizer.
*/
public class SslAuthenticator implements Authenticator {
private static final byte[] emptyArray = new byte[0];
private final AuthenticationProvider provider;
private final KafkaServiceConfiguration kafkaConfig;
private Session session;
public SslAuthenticator(AuthenticationProvider provider, KafkaServiceConfiguration kafkaConfig) {
this.provider = provider;
this.kafkaConfig = kafkaConfig;
}
@Override
public void authenticate(ChannelHandlerContext ctx, ByteBuf requestBuf,
BiConsumer registerRequestParseLatency,
BiConsumer registerRequestLatency,
Function tenantAccessValidationFunction) throws AuthenticationException {
// init authState and other var
ChannelHandler sslHandler = ctx.channel().pipeline().get(KafkaProtocolHandler.TLS_HANDLER);
SSLSession sslSession = null;
if (sslHandler != null) {
sslSession = ((SslHandler) sslHandler).engine().getSession();
}
AuthData authData = AuthData.of(emptyArray);
SocketAddress remoteAddress = ctx.channel().remoteAddress();
try {
AuthenticationState authState = provider.newAuthState(authData, remoteAddress, sslSession);
authState.authenticateAsync(authData).get();
this.session = new Session(
new KafkaPrincipal(KafkaPrincipal.USER_TYPE,
authState.getAuthRole(),
kafkaConfig.getKafkaTenant(),
null,
authState.getAuthDataSource()), null);
} catch (javax.naming.AuthenticationException | ExecutionException | InterruptedException e) {
throw new AuthenticationException(e.getMessage());
}
}
@Override
public void sendAuthenticationFailureResponse(Consumer> listener) {
// No-Op for ssl authenticator
}
@Override
public Session session() {
return session;
}
@Override
public boolean complete() {
return session != null;
}
@Override
public void close() {
this.session = null;
}
}