java kafka sasl plan认证 kafka用户认证

private static ChannelBuilder create(SecurityProtocol securityProtocol,
Mode mode,
JaasContext.Type contextType,
AbstractConfig config,
ListenerName listenerName,
String clientSaslMechanism,
boolean saslHandshakeRequestEnable,
CredentialCache credentialCache) {
Map configs;
if (listenerName == null)
configs = config.values();
else
configs = config.valuesWithPrefixOverride(listenerName.configPrefix());
//根据不同类型的协议创建不同的ChannelBuilder
ChannelBuilder channelBuilder;
switch (securityProtocol) {
case SSL:
requireNonNullMode(mode, securityProtocol);
channelBuilder = new SslChannelBuilder(mode);
break;
case SASL_SSL:
case SASL_PLAINTEXT:
requireNonNullMode(mode, securityProtocol);
JaasContext jaasContext = JaasContext.load(contextType, listenerName, configs);
channelBuilder = new SaslChannelBuilder(mode, jaasContext, securityProtocol, listenerName,
clientSaslMechanism, saslHandshakeRequestEnable, credentialCache);
break;
case PLAINTEXT:
channelBuilder = new PlaintextChannelBuilder();
break;
default:
throw new IllegalArgumentException("Unexpected securityProtocol " + securityProtocol);
}
//根据传入的配置设置新创建的channelBuilder
channelBuilder.configure(configs);
return channelBuilder;
}
上面函数中会根据不同的协议创建不同的ChannelBuilder并进行相应的配置,在kafka中实现了SslChannelBuilder、SaslChannelBuilder和PlaintextChannelBuilder等不同类型的ChannelBuilder,我们这里以SaslChannelBuilder的configure函数为例：
public void configure(Map configs) throws KafkaException {
try {
this.configs = configs;
boolean hasKerberos;
// 判断是不是使用Kerberos 协议
if (mode == Mode.SERVER) {
@SuppressWarnings("unchecked")
List enabledMechanisms = (List) this.configs.get(BrokerSecurityConfigs.SASL_ENABLED_MECHANISMS_CONFIG);
hasKerberos = enabledMechanisms == null || enabledMechanisms.contains(SaslConfigs.GSSAPI_MECHANISM);
} else {
hasKerberos = clientSaslMechanism.equals(SaslConfigs.GSSAPI_MECHANISM);
}
if (hasKerberos) {
String defaultRealm;
try {
defaultRealm = defaultKerberosRealm();
} catch (Exception ke) {
defaultRealm = "";
}
@SuppressWarnings("unchecked")
List principalToLocalRules = (List) configs.get(BrokerSecurityConfigs.SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES_CONFIG);
if (principalToLocalRules != null)
kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(defaultRealm, principalToLocalRules);
}
//这里是重点，LoginManager是kafka中自定义的类，创建该类并进行验证
this.loginManager = LoginManager.acquireLoginManager(jaasContext, hasKerberos, configs);
if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
// Disable SSL client authentication as we are using SASL authentication
this.sslFactory = new SslFactory(mode, "none");
this.sslFactory.configure(configs);
}
} catch (Exception e) {
close();
throw new KafkaException(e);
}
}
创建LoginManager
如上面函数中注释的，在配置的时候会调用静态方法创建一个LoginManager,先来看看LoginManager的构造函数如下:
private LoginManager(JaasContext jaasContext, boolean hasKerberos, Map configs,
Password jaasConfigValue) throws IOException, LoginException {
this.cacheKey = jaasConfigValue != null ? jaasConfigValue : jaasContext.name();
//在SASL/PLAIN身份认证的场景下，使用的是DefaultLogin实现
login = hasKerberos ? new KerberosLogin() : new DefaultLogin();
login.configure(configs, jaasContext);
login.login();
}
关于DefaultLogin其内部定义没有什么特殊之处，直接看其父类AbstractLogin,AbstractLogin的login函数如下：
public LoginContext login() throws LoginException {
loginContext = new LoginContext(jaasContext.name(), null, new LoginCallbackHandler(), jaasContext.configuration());
// 完成认证操作
loginContext.login();
log.info("Successfully logged in.");
return loginContext;
}
Kafka使用了JAAS的相关内容，JAAS在应用层与底层安全机制之间加入了一层抽象，简化了Java Security包之上的开发工作，可以为开发人员屏蔽掉具体使用的安全机制。上层应用的代码主要是面向LoginContext进行编程，在LoginContext下层是可动态配置的LoginModule组件(Kafka客户端使用的LoginModule是Kafka自定义的PlainLoginModule组件)。
我们了解到的代码只是从JAAS配置文件中读取了配置并填充Subject对象,没有进行实质性的认证操作。真正完成认证操作是通过KafkaChannel的Authenticator对象。上述过程中一共涉及到LoginContext、LoginManager、AbstractLogin等类，具体的关系图如下：

创建ClientAuthenticator
当生产者和消费者尝试生产或者消费的时候，会检查client与kafka broker之间是否已经建立tcp连接，没有建立连接的话先创建一个KafkaChannel对象,代码如下：
public KafkaChannel buildChannel(String id, SelectionKey key, int maxReceiveSize, MemoryPool memoryPool) throws KafkaException {
try {
SocketChannel socketChannel = (SocketChannel) key.channel();
Socket socket = socketChannel.socket();
TransportLayer transportLayer = buildTransportLayer(id, key, socketChannel);
Authenticator authenticator;
// 服务端Authenticator
if (mode == Mode.SERVER)
authenticator = buildServerAuthenticator(configs, id, transportLayer, loginManager.subject());
else
// 客户端Authenticator
authenticator = buildClientAuthenticator(configs, id, socket.getInetAddress().getHostName(),
loginManager.serviceName(), transportLayer, loginManager.subject());
return new KafkaChannel(id, transportLayer, authenticator, maxReceiveSize, memoryPool != null ? memoryPool : MemoryPool.NONE);
} catch (Exception e) {
// 如果创建连接失败, 抛出异常，上层函数会在back_off之后，进行重试
log.info("Failed to create channel due to ", e);
throw new KafkaException(e);
}
}
SaslClientAuthenticator
认证过程
客户端会不断的判断channel上是否是可以读数据或者写数据，其代码如下：
void pollSelectionKeys(Set selectionKeys,
boolean isImmediatelyConnected,
long currentTimeNanos) {
for (SelectionKey key : determineHandlingOrder(selectionKeys)) {
KafkaChannel channel = channel(key);
long channelStartTimeNanos = recordTimePerConnection ? time.nanoseconds() : 0;
// register all per-connection metrics at once
// 为每个channel 注册metrics
sensors.maybeRegisterConnectionMetrics(channel.id());
if (idleExpiryManager != null)
// 更新每个channel的活跃时间
idleExpiryManager.update(channel.id(), currentTimeNanos);
boolean sendFailed = false;
try {
/* complete any connections that have finished their handshake (either normally or immediately) */
// 对于每个已经建立tcp连接的channel加到本地客户端的链表中
if (isImmediatelyConnected || key.isConnectable()) {
if (channel.finishConnect()) {
this.connected.add(channel.id());
this.sensors.connectionCreated.record();
SocketChannel socketChannel = (SocketChannel) key.channel();
log.debug("Created socket with SO_RCVBUF = {}, SO_SNDBUF = {}, SO_TIMEOUT = {} to node {}",
socketChannel.socket().getReceiveBufferSize(),
socketChannel.socket().getSendBufferSize(),
socketChannel.socket().getSoTimeout(),
channel.id());
} else
continue;
}
/* if channel is not ready finish prepare */
// 对于已经建立tcp连接但是前期的认证还没有通过的chennel，进行认证准备
if (channel.isConnected() && !channel.ready()) {
try {
channel.prepare();
} catch (AuthenticationException e) {
sensors.failedAuthentication.record();
throw e;
}
if (channel.ready())
sensors.successfulAuthentication.record();
}
// 从channel中读取数据
attemptRead(key, channel);
if (channel.hasBytesBuffered()) {
//this channel has bytes enqueued in intermediary buffers that we could not read
//(possibly because no memory). it may be the case that the underlying socket will
//not come up in the next poll() and so we need to remember this channel for the
//next poll call otherwise data may be stuck in said buffers forever. If we attempt
//to process buffered data and no progress is made, the channel buffered status is
//cleared to avoid the overhead of checking every time.
keysWithBufferedRead.add(key);
}
/* if channel is ready write to any sockets that have space in their buffer and for which we have data */
if (channel.ready() && key.isWritable()) {
Send send = null;
try {
send = channel.write();
} catch (Exception e) {
sendFailed = true;
throw e;
}
if (send != null) {
this.completedSends.add(send);
this.sensors.recordBytesSent(channel.id(), send.size());
}
}
/* cancel any defunct sockets */
if (!key.isValid())
close(channel, true, true);
} catch (Exception e) {
String desc = channel.socketDescription();
if (e instanceof IOException)
log.debug("Connection with {} disconnected", desc, e);
else if (e instanceof AuthenticationException) // will be logged later as error by clients
log.debug("Connection with {} disconnected due to authentication exception", desc, e);
else
log.warn("Unexpected error from {}; closing connection", desc, e);
close(channel, !sendFailed, true);
} finally {
maybeRecordTimePerConnection(channel, channelStartTimeNanos);
}
}
}