org.apache.kafka.common.config.SaslConfigs Java Examples

private KafkaFactory.KafkaClientModel get(){
    Properties props = new Properties();
    props.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "10.104.156.83:9092");
    props.put("key.serializer", "org.apache.kafka.common.serialization.StringSerializer");
    props.put("value.serializer", "org.apache.kafka.common.serialization.ByteArraySerializer");
    props.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_PLAINTEXT");
    props.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
    props.put("acks", "all");
    props.put("retries", 0);
    props.put("batch.size", 16384);
    props.put("linger.ms", 1);
    props.put("buffer.memory", 33554432);
    props.put("sasl.jaas.config",
            "org.apache.kafka.common.security.plain.PlainLoginModule required username='kafka' password='kafka';");
    KafkaProducer<String, Byte[]> producer = new KafkaProducer<>(props);
    AdminClient client = AdminClient.create(props);

    KafkaFactory.KafkaClientModel kafkaClientModel = new KafkaFactory.KafkaClientModel(producer, client);
    return kafkaClientModel;
}
 

@Override
protected KafkaConfig getKafkaConfig(int brokerId) {
    final Option<File> trustStoreFileOption = Option.apply(null);
    final Option<SecurityProtocol> saslInterBrokerSecurityProtocol =
        Option.apply(SecurityProtocol.SASL_PLAINTEXT);
    Properties props = TestUtils.createBrokerConfig(
        brokerId, zkConnect, false, false, TestUtils.RandomPort(), saslInterBrokerSecurityProtocol,
        trustStoreFileOption, EMPTY_SASL_PROPERTIES, false, true, TestUtils.RandomPort(),
        false, TestUtils.RandomPort(),
        false, TestUtils.RandomPort(), Option.<String>empty(), 1, false, 1, (short) 1);

    injectProperties(props);
    props.setProperty("zookeeper.connection.timeout.ms", "30000");
    props.setProperty("sasl.mechanism.inter.broker.protocol", "GSSAPI");
    props.setProperty(SaslConfigs.SASL_ENABLED_MECHANISMS, "GSSAPI");

    return KafkaConfig.fromProps(props);
}
 

/**
 * If SASL is configured for this cluster, apply the settings.
 * @param clusterConfig Cluster configuration definition to source values from.
 * @param config Config map to apply settings to.
 */
private void applySaslSettings(final ClusterConfig clusterConfig, final Map<String, Object> config) {
    // If we're using SSL, we've already configured everything for SASL too...
    if (!clusterConfig.isUseSasl()) {
        return;
    }

    // If not using SSL
    if (clusterConfig.isUseSsl()) {
        // SASL+SSL
        config.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, SecurityProtocol.SASL_SSL.name);

        // Keystore and keystore password not required if using SASL+SSL
        config.remove(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG);
        config.remove(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG);
    } else {
        // Just SASL PLAINTEXT
        config.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, SecurityProtocol.SASL_PLAINTEXT.name);
    }
    config.put(SaslConfigs.SASL_MECHANISM, clusterConfig.getSaslMechanism());
    config.put(SaslConfigs.SASL_JAAS_CONFIG, clusterConfig.getSaslJaas());
}
 

/**
 * Method used to configure the 'sasl.jaas.config' property based on KAFKA-4259<br />
 * https://cwiki.apache.org/confluence/display/KAFKA/KIP-85%3A+Dynamic+JAAS+configuration+for+Kafka+clients<br />
 * <br />
 * It expects something with the following format: <br />
 * <br />
 * &lt;LoginModuleClass&gt; &lt;ControlFlag&gt; *(&lt;OptionName&gt;=&lt;OptionValue&gt;); <br />
 * ControlFlag = required / requisite / sufficient / optional
 *
 * @param mapToPopulate Map of configuration properties
 * @param context       Context
 */
private static void setJaasConfig(Map<String, Object> mapToPopulate, ConfigurationContext context) {
    String keytab = null;
    String principal = null;

    // If the Kerberos Credentials Service is specified, we need to use its configuration, not the explicit properties for principal/keytab.
    // The customValidate method ensures that only one can be set, so we know that the principal & keytab above are null.
    final KerberosCredentialsService credentialsService = context.getProperty(KafkaProcessorUtils.KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
    if (credentialsService != null) {
        principal = credentialsService.getPrincipal();
        keytab = credentialsService.getKeytab();
    }


    String serviceName = context.getProperty(KafkaProcessorUtils.JAAS_SERVICE_NAME).evaluateAttributeExpressions().getValue();
    if (StringUtils.isNotBlank(keytab) && StringUtils.isNotBlank(principal) && StringUtils.isNotBlank(serviceName)) {
        mapToPopulate.put(SaslConfigs.SASL_JAAS_CONFIG, "com.sun.security.auth.module.Krb5LoginModule required "
                + "useTicketCache=false "
                + "renewTicket=true "
                + "serviceName=\"" + serviceName + "\" "
                + "useKeyTab=true "
                + "keyTab=\"" + keytab + "\" "
                + "principal=\"" + principal + "\";");
    }
}
 

/**
 * Method used to configure the 'sasl.jaas.config' property based on KAFKA-4259<br />
 * https://cwiki.apache.org/confluence/display/KAFKA/KIP-85%3A+Dynamic+JAAS+configuration+for+Kafka+clients<br />
 * <br />
 * It expects something with the following format: <br />
 * <br />
 * &lt;LoginModuleClass&gt; &lt;ControlFlag&gt; *(&lt;OptionName&gt;=&lt;OptionValue&gt;); <br />
 * ControlFlag = required / requisite / sufficient / optional
 *
 * @param mapToPopulate Map of configuration properties
 * @param context Context
 */
private static void setJaasConfig(Map<String, Object> mapToPopulate, ProcessContext context) {
    String keytab = context.getProperty(USER_KEYTAB) == null ? null : context.getProperty(USER_KEYTAB).evaluateAttributeExpressions().getValue();
    String principal = context.getProperty(USER_PRINCIPAL) == null ? null : context.getProperty(USER_PRINCIPAL).evaluateAttributeExpressions().getValue();

    // If the Kerberos Credentials Service is specified, we need to use its configuration, not the explicit properties for principal/keytab.
    // The customValidate method ensures that only one can be set, so we know that the principal & keytab above are null.
    final KerberosCredentialsService credentialsService = context.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
    if (credentialsService != null) {
        principal = credentialsService.getPrincipal();
        keytab = credentialsService.getKeytab();
    }


    String serviceName = context.getProperty(JAAS_SERVICE_NAME).evaluateAttributeExpressions().getValue();
    if(StringUtils.isNotBlank(keytab) && StringUtils.isNotBlank(principal) && StringUtils.isNotBlank(serviceName)) {
        mapToPopulate.put(SaslConfigs.SASL_JAAS_CONFIG, "com.sun.security.auth.module.Krb5LoginModule required "
                + "useTicketCache=false "
                + "renewTicket=true "
                + "serviceName=\"" + serviceName + "\" "
                + "useKeyTab=true "
                + "keyTab=\"" + keytab + "\" "
                + "principal=\"" + principal + "\";");
    }
}
 

private String getServiceName(Map<String, ?> configs, String loginContext) {
  String jaasServiceName = null;
  try {
    jaasServiceName = JaasUtils.jaasConfig(loginContext, JaasUtils.SERVICE_NAME);
  } catch (IOException e) {
    //throw new KafkaException("Jaas configuration not found", e);
    log.warn("Jaas configuration not found", e);
  }
  String configServiceName = (String) configs.get(SaslConfigs.SASL_KERBEROS_SERVICE_NAME);
  if (jaasServiceName != null && configServiceName != null && !jaasServiceName.equals(configServiceName)) {
    String message = "Conflicting serviceName values found in JAAS and Kafka configs " +
        "value in JAAS file " + jaasServiceName + ", value in Kafka config " + configServiceName;
    throw new IllegalArgumentException(message);
  }

  if (jaasServiceName != null)
    return jaasServiceName;
  if (configServiceName != null)
    return configServiceName;

  throw new IllegalArgumentException("No serviceName defined in either JAAS or Kafka config");
}
 

/**
 * Method used to configure the 'sasl.jaas.config' property based on KAFKA-4259<br />
 * https://cwiki.apache.org/confluence/display/KAFKA/KIP-85%3A+Dynamic+JAAS+configuration+for+Kafka+clients<br />
 * <br />
 * It expects something with the following format: <br />
 * <br />
 * &lt;LoginModuleClass&gt; &lt;ControlFlag&gt; *(&lt;OptionName&gt;=&lt;OptionValue&gt;); <br />
 * ControlFlag = required / requisite / sufficient / optional
 *
 * @param mapToPopulate Map of configuration properties
 * @param context Context
 */
private static void setJaasConfig(Map<String, Object> mapToPopulate, ProcessContext context) {
    String keytab = context.getProperty(USER_KEYTAB).evaluateAttributeExpressions().getValue();
    String principal = context.getProperty(USER_PRINCIPAL).evaluateAttributeExpressions().getValue();

    // If the Kerberos Credentials Service is specified, we need to use its configuration, not the explicit properties for principal/keytab.
    // The customValidate method ensures that only one can be set, so we know that the principal & keytab above are null.
    final KerberosCredentialsService credentialsService = context.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
    if (credentialsService != null) {
        principal = credentialsService.getPrincipal();
        keytab = credentialsService.getKeytab();
    }


    String serviceName = context.getProperty(JAAS_SERVICE_NAME).evaluateAttributeExpressions().getValue();
    if(StringUtils.isNotBlank(keytab) && StringUtils.isNotBlank(principal) && StringUtils.isNotBlank(serviceName)) {
        mapToPopulate.put(SaslConfigs.SASL_JAAS_CONFIG, "com.sun.security.auth.module.Krb5LoginModule required "
                + "useTicketCache=false "
                + "renewTicket=true "
                + "serviceName=\"" + serviceName + "\" "
                + "useKeyTab=true "
                + "keyTab=\"" + keytab + "\" "
                + "principal=\"" + principal + "\";");
    }
}
 

public KafkaClientPropertiesBuilder withSaslJassConfigAndTls(String clientId, String clientSecretName, String oauthTokenEndpointUri) {

            try {
                importKeycloakCertificateToTruststore(properties);
                fixBadlyImportedAuthzSettings();
            } catch (Exception e) {
                e.printStackTrace();
            }

            if (clientId.isEmpty() || clientSecretName.isEmpty() || oauthTokenEndpointUri.isEmpty()) {
                throw new InvalidParameterException("You do not specify client-id, client-secret name or oauth-token-endpoint-uri inside kafka client!");
            }

            properties.setProperty(SaslConfigs.SASL_JAAS_CONFIG,
                "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule " +
                    "required " +
                    "oauth.client.id=\"" + clientId + "\" " +
                    "oauth.client.secret=\"" + clientSecretName + "\" " +
                    "oauth.token.endpoint.uri=\"" + oauthTokenEndpointUri + "\" " +
                    "oauth.ssl.endpoint.identification.algorithm=\"\"" +
                    "oauth.ssl.truststore.location=\"" + properties.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG) + "\" " +
                    "oauth.ssl.truststore.password=\"" + properties.get(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG) + "\" " +
                    "oauth.ssl.truststore.type=\"" + properties.get(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG) + "\" ;");

            return this;
        }
 

public KafkaNodeClient(int id, String host, int port) {
	node = new Node(id, host, port);
	
	//
	LogContext logContext = new LogContext("ctx");

	ConfigDef defConf = new ConfigDef();
	defConf.define(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, ConfigDef.Type.STRING,
			CommonClientConfigs.DEFAULT_SECURITY_PROTOCOL, ConfigDef.Importance.MEDIUM,
			CommonClientConfigs.SECURITY_PROTOCOL_DOC);

	defConf.define(SaslConfigs.SASL_MECHANISM, ConfigDef.Type.STRING, SaslConfigs.DEFAULT_SASL_MECHANISM,
			ConfigDef.Importance.MEDIUM, SaslConfigs.SASL_MECHANISM_DOC);

	metrics = new Metrics(Time.SYSTEM);

	AbstractConfig config = new AbstractConfig(defConf, new Properties());
	channelBuilder = ClientUtils.createChannelBuilder(config);
	selector = new Selector(1000L, metrics, Time.SYSTEM, "cc", channelBuilder, logContext);
	client = new NetworkClient(selector, new Metadata(0, Long.MAX_VALUE, false),
			CLIENT_ID, 10, 1000L, 1000L, 1, 1024, 1000, Time.SYSTEM, true, new ApiVersions(),
			null, logContext);
}
 

/**
 * Method used to configure the 'sasl.jaas.config' property based on KAFKA-4259<br />
 * https://cwiki.apache.org/confluence/display/KAFKA/KIP-85%3A+Dynamic+JAAS+configuration+for+Kafka+clients<br />
 * <br />
 * It expects something with the following format: <br />
 * <br />
 * &lt;LoginModuleClass&gt; &lt;ControlFlag&gt; *(&lt;OptionName&gt;=&lt;OptionValue&gt;); <br />
 * ControlFlag = required / requisite / sufficient / optional
 *
 * @param mapToPopulate Map of configuration properties
 * @param context Context
 */
private static void setJaasConfig(Map<String, Object> mapToPopulate, ProcessContext context) {
    String keytab = context.getProperty(USER_KEYTAB).evaluateAttributeExpressions().getValue();
    String principal = context.getProperty(USER_PRINCIPAL).evaluateAttributeExpressions().getValue();

    // If the Kerberos Credentials Service is specified, we need to use its configuration, not the explicit properties for principal/keytab.
    // The customValidate method ensures that only one can be set, so we know that the principal & keytab above are null.
    final KerberosCredentialsService credentialsService = context.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
    if (credentialsService != null) {
        principal = credentialsService.getPrincipal();
        keytab = credentialsService.getKeytab();
    }


    String serviceName = context.getProperty(JAAS_SERVICE_NAME).evaluateAttributeExpressions().getValue();
    if(StringUtils.isNotBlank(keytab) && StringUtils.isNotBlank(principal) && StringUtils.isNotBlank(serviceName)) {
        mapToPopulate.put(SaslConfigs.SASL_JAAS_CONFIG, "com.sun.security.auth.module.Krb5LoginModule required "
                + "useTicketCache=false "
                + "renewTicket=true "
                + "serviceName=\"" + serviceName + "\" "
                + "useKeyTab=true "
                + "keyTab=\"" + keytab + "\" "
                + "principal=\"" + principal + "\";");
    }
}
 

/**
 * Method used to configure the 'sasl.jaas.config' property based on KAFKA-4259<br />
 * https://cwiki.apache.org/confluence/display/KAFKA/KIP-85%3A+Dynamic+JAAS+configuration+for+Kafka+clients<br />
 * <br />
 * It expects something with the following format: <br />
 * <br />
 * &lt;LoginModuleClass&gt; &lt;ControlFlag&gt; *(&lt;OptionName&gt;=&lt;OptionValue&gt;); <br />
 * ControlFlag = required / requisite / sufficient / optional
 *
 * @param mapToPopulate Map of configuration properties
 * @param context       Context
 */
private static void setJaasConfig(Map<String, Object> mapToPopulate, ConfigurationContext context) {
    String keytab = null;
    String principal = null;

    // If the Kerberos Credentials Service is specified, we need to use its configuration, not the explicit properties for principal/keytab.
    // The customValidate method ensures that only one can be set, so we know that the principal & keytab above are null.
    final KerberosCredentialsService credentialsService = context.getProperty(KafkaProcessorUtils.KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
    if (credentialsService != null) {
        principal = credentialsService.getPrincipal();
        keytab = credentialsService.getKeytab();
    }


    String serviceName = context.getProperty(KafkaProcessorUtils.JAAS_SERVICE_NAME).evaluateAttributeExpressions().getValue();
    if (StringUtils.isNotBlank(keytab) && StringUtils.isNotBlank(principal) && StringUtils.isNotBlank(serviceName)) {
        mapToPopulate.put(SaslConfigs.SASL_JAAS_CONFIG, "com.sun.security.auth.module.Krb5LoginModule required "
                + "useTicketCache=false "
                + "renewTicket=true "
                + "serviceName=\"" + serviceName + "\" "
                + "useKeyTab=true "
                + "keyTab=\"" + keytab + "\" "
                + "principal=\"" + principal + "\";");
    }
}
 

private static void setScramJaasConfig(final Map<String, Object> mapToPopulate, final ProcessContext context) {
    final String username = context.getProperty(USERNAME).evaluateAttributeExpressions().getValue();
    final String password = context.getProperty(PASSWORD).evaluateAttributeExpressions().getValue();

    final StringBuilder builder = new StringBuilder("org.apache.kafka.common.security.scram.ScramLoginModule required ")
            .append("username=\"" + username + "\" ")
            .append("password=\"" + password + "\"");

    final Boolean tokenAuth = context.getProperty(TOKEN_AUTH).asBoolean();
    if (tokenAuth != null && tokenAuth) {
        builder.append(" tokenauth=\"true\"");
    }

    builder.append(";");
    mapToPopulate.put(SaslConfigs.SASL_JAAS_CONFIG, builder.toString());
}
 

private static void setGssApiJaasConfig(final Map<String, Object> mapToPopulate, final ProcessContext context) {
    String keytab = context.getProperty(USER_KEYTAB).evaluateAttributeExpressions().getValue();
    String principal = context.getProperty(USER_PRINCIPAL).evaluateAttributeExpressions().getValue();

    // If the Kerberos Credentials Service is specified, we need to use its configuration, not the explicit properties for principal/keytab.
    // The customValidate method ensures that only one can be set, so we know that the principal & keytab above are null.
    final KerberosCredentialsService credentialsService = context.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
    if (credentialsService != null) {
        principal = credentialsService.getPrincipal();
        keytab = credentialsService.getKeytab();
    }


    String serviceName = context.getProperty(JAAS_SERVICE_NAME).evaluateAttributeExpressions().getValue();
    if (StringUtils.isNotBlank(keytab) && StringUtils.isNotBlank(principal) && StringUtils.isNotBlank(serviceName)) {
        mapToPopulate.put(SaslConfigs.SASL_JAAS_CONFIG, "com.sun.security.auth.module.Krb5LoginModule required "
                + "useTicketCache=false "
                + "renewTicket=true "
                + "serviceName=\"" + serviceName + "\" "
                + "useKeyTab=true "
                + "keyTab=\"" + keytab + "\" "
                + "principal=\"" + principal + "\";");
    }
}
 

private void shouldContainScramSaslMechanism(final Connection connection, final String mechanism) {
    final ProducerSettings<String, String> settings = underTest.apply(defaultProducerSettings, connection);

    assertThat(settings.properties().get(SaslConfigs.SASL_MECHANISM).get()).isEqualTo(mechanism);
    assertThat(settings.properties().get(SaslConfigs.SASL_JAAS_CONFIG).get()).isEqualTo(
            "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"" + KNOWN_USER +
                    "\" password=\"" + KNOWN_PASSWORD + "\";"
    );
}
 

@Override
public void configure(Map<String, ?> configs) {
	RangerBasePlugin me = rangerPlugin;
	if (me == null) {
		synchronized(RangerKafkaAuthorizer.class) {
			me = rangerPlugin;
			if (me == null) {
				try {
					// Possible to override JAAS configuration which is used by Ranger, otherwise
					// SASL_PLAINTEXT is used, which force Kafka to use 'sasl_plaintext.KafkaServer',
					// if it's not defined, then it reverts to 'KafkaServer' configuration.
					final Object jaasContext = configs.get("ranger.jaas.context");
					final String listenerName = (jaasContext instanceof String
							&& StringUtils.isNotEmpty((String) jaasContext)) ? (String) jaasContext
									: SecurityProtocol.SASL_PLAINTEXT.name();
					final String saslMechanism = SaslConfigs.GSSAPI_MECHANISM;
					JaasContext context = JaasContext.loadServerContext(new ListenerName(listenerName), saslMechanism, configs);
					LoginManager loginManager = LoginManager.acquireLoginManager(context, saslMechanism, KerberosLogin.class, configs);
					Subject subject = loginManager.subject();
					UserGroupInformation ugi = MiscUtil
							.createUGIFromSubject(subject);
					if (ugi != null) {
						MiscUtil.setUGILoginUser(ugi, subject);
					}
					logger.info("LoginUser=" + MiscUtil.getUGILoginUser());
				} catch (Throwable t) {
					logger.error("Error getting principal.", t);
				}
				me = rangerPlugin = new RangerBasePlugin("kafka", "kafka");
			}
		}
	}
	logger.info("Calling plugin.init()");
	rangerPlugin.init();
	auditHandler = new RangerKafkaAuditHandler();
	rangerPlugin.setResultProcessor(auditHandler);
}
 

private static void setPlainJaasConfig(final Map<String, Object> mapToPopulate, final ProcessContext context) {
    final String username = context.getProperty(USERNAME).evaluateAttributeExpressions().getValue();
    final String password = context.getProperty(PASSWORD).evaluateAttributeExpressions().getValue();

    mapToPopulate.put(SaslConfigs.SASL_JAAS_CONFIG, "org.apache.kafka.common.security.plain.PlainLoginModule required "
            + "username=\"" + username + "\" "
            + "password=\"" + password + "\";");
}
 

private static String getServiceName(String loginContext, Map<String, ?> configs) throws IOException {

        // BEGIN changes for SDC-2430

        // Comment out existing implementation of this method which looks up service names from both
        // kafka client jaas file as well as client configuration.
        // Support reading service name from "sasl.kerberos.service.name" client configuration.

        /*
        String jaasServiceName = JaasUtils.jaasConfig(loginContext, JaasUtils.SERVICE_NAME);
        String configServiceName = (String) configs.get(SaslConfigs.SASL_KERBEROS_SERVICE_NAME);
        if (jaasServiceName != null && configServiceName != null && !jaasServiceName.equals(configServiceName)) {
            String message = "Conflicting serviceName values found in JAAS and Kafka configs " +
                "value in JAAS file " + jaasServiceName + ", value in Kafka config " + configServiceName;
            throw new IllegalArgumentException(message);
        }

        if (jaasServiceName != null)
            return jaasServiceName;
        if (configServiceName != null)
            return configServiceName;

        throw new IllegalArgumentException("No serviceName defined in either JAAS or Kafka config");
        */

        String configServiceName = (String) configs.get(SaslConfigs.SASL_KERBEROS_SERVICE_NAME);
        if (configServiceName != null) {
            return configServiceName;
        }
        throw new IllegalArgumentException("No serviceName defined in Kafka config. " +
          "Please specify the kafka service name using the \"sasl.kerberos.service.name\" configuration in the client.");
        // END changes for SDC-2430
    }
 

static final Map<String, Object> getCommonConfigs(String boostrapServers, String apikey) {
    Map<String, Object> configs = new HashMap<>();
    configs.put(CommonClientConfigs.BOOTSTRAP_SERVERS_CONFIG, boostrapServers);
    configs.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_SSL");
    configs.put(SaslConfigs.SASL_MECHANISM, "PLAIN");
    configs.put(SaslConfigs.SASL_JAAS_CONFIG, "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"token\" password=\"" + apikey + "\";");
    configs.put(SslConfigs.SSL_PROTOCOL_CONFIG, "TLSv1.2");
    configs.put(SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG, "TLSv1.2");
    configs.put(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, "HTTPS");
    return configs;
}
 

public KafkaClientPropertiesBuilder withSaslJassConfig(String clientId, String clientSecretName, String oauthTokenEndpointUri) {
    if (clientId.isEmpty() || clientSecretName.isEmpty() || oauthTokenEndpointUri.isEmpty()) {
        throw new InvalidParameterException("You do not specify client-id, client-secret name or oauth-token-endpoint-uri inside kafka client!");
    }

    this.properties.setProperty(SaslConfigs.SASL_JAAS_CONFIG,
        "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule " +
            "required " +
            "oauth.client.id=\"" + clientId + "\" " +
            "oauth.client.secret=\"" + clientSecretName + "\" " +
            "oauth.token.endpoint.uri=\"" + oauthTokenEndpointUri + "\";");

    return this;
}
 

static void buildCommonKafkaProperties(final ProcessContext context, final Class<?> kafkaConfigClass, final Map<String, Object> mapToPopulate) {
    for (PropertyDescriptor propertyDescriptor : context.getProperties().keySet()) {
        if (propertyDescriptor.equals(SSL_CONTEXT_SERVICE)) {
            // Translate SSLContext Service configuration into Kafka properties
            final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
            if (sslContextService != null && sslContextService.isKeyStoreConfigured()) {
                mapToPopulate.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, sslContextService.getKeyStoreFile());
                mapToPopulate.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, sslContextService.getKeyStorePassword());
                final String keyPass = sslContextService.getKeyPassword() == null ? sslContextService.getKeyStorePassword() : sslContextService.getKeyPassword();
                mapToPopulate.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, keyPass);
                mapToPopulate.put(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, sslContextService.getKeyStoreType());
            }

            if (sslContextService != null && sslContextService.isTrustStoreConfigured()) {
                mapToPopulate.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, sslContextService.getTrustStoreFile());
                mapToPopulate.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, sslContextService.getTrustStorePassword());
                mapToPopulate.put(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, sslContextService.getTrustStoreType());
            }
        }

        String propertyName = propertyDescriptor.getName();
        String propertyValue = propertyDescriptor.isExpressionLanguageSupported()
                ? context.getProperty(propertyDescriptor).evaluateAttributeExpressions().getValue()
                : context.getProperty(propertyDescriptor).getValue();

        if (propertyValue != null) {
            // If the property name ends in ".ms" then it is a time period. We want to accept either an integer as number of milliseconds
            // or the standard NiFi time period such as "5 secs"
            if (propertyName.endsWith(".ms") && !StringUtils.isNumeric(propertyValue.trim())) { // kafka standard time notation
                propertyValue = String.valueOf(FormatUtils.getTimeDuration(propertyValue.trim(), TimeUnit.MILLISECONDS));
            }

            if (isStaticStringFieldNamePresent(propertyName, kafkaConfigClass, CommonClientConfigs.class, SslConfigs.class, SaslConfigs.class)) {
                mapToPopulate.put(propertyName, propertyValue);
            }
        }
    }
}
 

static void buildCommonKafkaProperties(final ProcessContext context, final Class<?> kafkaConfigClass, final Map<String, Object> mapToPopulate) {
    for (PropertyDescriptor propertyDescriptor : context.getProperties().keySet()) {
        if (propertyDescriptor.equals(SSL_CONTEXT_SERVICE)) {
            // Translate SSLContext Service configuration into Kafka properties
            final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
            if (sslContextService != null && sslContextService.isKeyStoreConfigured()) {
                mapToPopulate.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, sslContextService.getKeyStoreFile());
                mapToPopulate.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, sslContextService.getKeyStorePassword());
                final String keyPass = sslContextService.getKeyPassword() == null ? sslContextService.getKeyStorePassword() : sslContextService.getKeyPassword();
                mapToPopulate.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, keyPass);
                mapToPopulate.put(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, sslContextService.getKeyStoreType());
            }

            if (sslContextService != null && sslContextService.isTrustStoreConfigured()) {
                mapToPopulate.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, sslContextService.getTrustStoreFile());
                mapToPopulate.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, sslContextService.getTrustStorePassword());
                mapToPopulate.put(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, sslContextService.getTrustStoreType());
            }
        }

        String propertyName = propertyDescriptor.getName();
        String propertyValue = propertyDescriptor.isExpressionLanguageSupported()
                ? context.getProperty(propertyDescriptor).evaluateAttributeExpressions().getValue()
                : context.getProperty(propertyDescriptor).getValue();

        if (propertyValue != null) {
            // If the property name ends in ".ms" then it is a time period. We want to accept either an integer as number of milliseconds
            // or the standard NiFi time period such as "5 secs"
            if (propertyName.endsWith(".ms") && !StringUtils.isNumeric(propertyValue.trim())) { // kafka standard time notation
                propertyValue = String.valueOf(FormatUtils.getTimeDuration(propertyValue.trim(), TimeUnit.MILLISECONDS));
            }

            if (isStaticStringFieldNamePresent(propertyName, kafkaConfigClass, CommonClientConfigs.class, SslConfigs.class, SaslConfigs.class)) {
                mapToPopulate.put(propertyName, propertyValue);
            }
        }
    }
}
 

private void shouldContainPlainSaslMechanism(final Connection connection) {
    final ProducerSettings<String, String> settings = underTest.apply(defaultProducerSettings, connection);

    assertThat(settings.properties().get(SaslConfigs.SASL_MECHANISM).get()).isEqualTo(KNOWN_PLAIN_SASL_MECHANISM);
    assertThat(settings.properties().get(SaslConfigs.SASL_JAAS_CONFIG).get()).isEqualTo(
            "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"" + KNOWN_USER +
                    "\" password=\"" + KNOWN_PASSWORD + "\";"
    );
}
 

/**
 * Parse AdminClient configs based on the given {@link CruiseControlMetricsReporterConfig configs}.
 *
 * @param adminClientConfigs Configs that will be return with SSL configs.
 * @param configs Configs to be used for parsing AdminClient SSL configs.
 * @return AdminClient configs.
 */
public static Properties addSslConfigs(Properties adminClientConfigs, CruiseControlMetricsReporterConfig configs) {
  // Add security protocol (if specified).
  try {
    String securityProtocol = configs.getString(AdminClientConfig.SECURITY_PROTOCOL_CONFIG);
    adminClientConfigs.put(AdminClientConfig.SECURITY_PROTOCOL_CONFIG, securityProtocol);
    setStringConfigIfExists(configs, adminClientConfigs, SaslConfigs.SASL_MECHANISM);
    setPasswordConfigIfExists(configs, adminClientConfigs, SaslConfigs.SASL_JAAS_CONFIG);

    // Configure SSL configs (if security protocol is SSL or SASL_SSL)
    if (securityProtocol.equals(SecurityProtocol.SSL.name) || securityProtocol.equals(SecurityProtocol.SASL_SSL.name)) {
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_KEYSTORE_TYPE_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG);
      setPasswordConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG);
      setPasswordConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_KEY_PASSWORD_CONFIG);
      setPasswordConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG);
    }
  } catch (ConfigException ce) {
    // let it go.
  }

  return adminClientConfigs;
}
 

@Test
public void testProperties() throws Exception {
    // reflection hack ... no other way to get raw props ...
    Field configField = KafkaStreams.class.getDeclaredField("config");
    configField.setAccessible(true);
    StreamsConfig config = (StreamsConfig) configField.get(streams);

    Map<String, Object> originals = config.originals();

    Assertions.assertEquals("20", originals.get(SaslConfigs.SASL_LOGIN_REFRESH_BUFFER_SECONDS));
    Assertions.assertEquals("http://localhost:8080", originals.get("apicurio.registry.url"));
    Assertions.assertEquals("dummy", originals.get("some-property"));
}
 

private static void addJAAS(Properties props) {
    props.setProperty(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_PLAINTEXT");
    props.setProperty(SaslConfigs.SASL_MECHANISM, "PLAIN");
    props.setProperty(SaslConfigs.SASL_JAAS_CONFIG,
            "org.apache.kafka.common.security.plain.PlainLoginModule required "
                    + "username=\"client\" "
                    + "password=\"client-secret\";");
}
 

private static void addJaas(Properties props) {
    props.setProperty(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_PLAINTEXT");
    props.setProperty(SaslConfigs.SASL_MECHANISM, "PLAIN");
    props.setProperty(SaslConfigs.SASL_JAAS_CONFIG,
            "org.apache.kafka.common.security.plain.PlainLoginModule required "
                    + "username=\"client\" "
                    + "password=\"client-secret\";");
}
 

/**
 * Parse AdminClient configs based on the given {@link KafkaCruiseControlConfig configs}.
 *
 * @param configs Configs to be used for parsing AdminClient configs.
 * @return AdminClient configs.
 */
public static Map<String, Object> parseAdminClientConfigs(KafkaCruiseControlConfig configs) {
  Map<String, Object> adminClientConfigs = new HashMap<>();
  // Add bootstrap server.
  List<String> bootstrapServers = configs.getList(AdminClientConfig.BOOTSTRAP_SERVERS_CONFIG);
  String bootstrapServersString = bootstrapServers.toString()
      .replace(" ", "")
      .replace("[", "")
      .replace("]", "");
  adminClientConfigs.put(AdminClientConfig.BOOTSTRAP_SERVERS_CONFIG, bootstrapServersString);

  // Add security protocol (if specified).
  try {
    String securityProtocol = configs.getString(AdminClientConfig.SECURITY_PROTOCOL_CONFIG);
    adminClientConfigs.put(AdminClientConfig.SECURITY_PROTOCOL_CONFIG, securityProtocol);
    setStringConfigIfExists(configs, adminClientConfigs, SaslConfigs.SASL_MECHANISM);
    setClassConfigIfExists(configs, adminClientConfigs, SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS);
    setPasswordConfigIfExists(configs, adminClientConfigs, SaslConfigs.SASL_JAAS_CONFIG);

    // Configure SSL configs (if security protocol is SSL or SASL_SSL)
    if (securityProtocol.equals(SecurityProtocol.SSL.name) || securityProtocol.equals(SecurityProtocol.SASL_SSL.name)) {
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_KEYMANAGER_ALGORITHM_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_KEYSTORE_TYPE_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_SECURE_RANDOM_IMPLEMENTATION_CONFIG);
      setStringConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG);
      setPasswordConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG);
      setPasswordConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_KEY_PASSWORD_CONFIG);
      setPasswordConfigIfExists(configs, adminClientConfigs, SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG);
    }
  } catch (ConfigException ce) {
    // let it go.
  }

  return adminClientConfigs;
}
 

/**
 * Set topic sasl.
 */
public void sasl(Properties props, String clusterAlias) {
	// configure the following four settings for SSL Encryption
	props.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, SystemConfigUtils.getProperty(clusterAlias + ".kafka.eagle.sasl.protocol"));
	if (!"".equals(SystemConfigUtils.getProperty(clusterAlias + ".kafka.eagle.sasl.client.id"))) {
		props.put(CommonClientConfigs.CLIENT_ID_CONFIG, SystemConfigUtils.getProperty(clusterAlias + ".kafka.eagle.sasl.client.id"));
	}
	props.put(SaslConfigs.SASL_MECHANISM, SystemConfigUtils.getProperty(clusterAlias + ".kafka.eagle.sasl.mechanism"));
	props.put(SaslConfigs.SASL_JAAS_CONFIG, SystemConfigUtils.getProperty(clusterAlias + ".kafka.eagle.sasl.jaas.config"));
}
 

static void buildCommonKafkaProperties(final ProcessContext context, final Class<?> kafkaConfigClass, final Map<String, Object> mapToPopulate) {
    for (PropertyDescriptor propertyDescriptor : context.getProperties().keySet()) {
        if (propertyDescriptor.equals(SSL_CONTEXT_SERVICE)) {
            // Translate SSLContext Service configuration into Kafka properties
            final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
            if (sslContextService != null && sslContextService.isKeyStoreConfigured()) {
                mapToPopulate.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, sslContextService.getKeyStoreFile());
                mapToPopulate.put(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG, sslContextService.getKeyStorePassword());
                final String keyPass = sslContextService.getKeyPassword() == null ? sslContextService.getKeyStorePassword() : sslContextService.getKeyPassword();
                mapToPopulate.put(SslConfigs.SSL_KEY_PASSWORD_CONFIG, keyPass);
                mapToPopulate.put(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, sslContextService.getKeyStoreType());
            }

            if (sslContextService != null && sslContextService.isTrustStoreConfigured()) {
                mapToPopulate.put(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG, sslContextService.getTrustStoreFile());
                mapToPopulate.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, sslContextService.getTrustStorePassword());
                mapToPopulate.put(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, sslContextService.getTrustStoreType());
            }
        }

        String propertyName = propertyDescriptor.getName();
        String propertyValue = propertyDescriptor.isExpressionLanguageSupported()
                ? context.getProperty(propertyDescriptor).evaluateAttributeExpressions().getValue()
                : context.getProperty(propertyDescriptor).getValue();

        if (propertyValue != null) {
            // If the property name ends in ".ms" then it is a time period. We want to accept either an integer as number of milliseconds
            // or the standard NiFi time period such as "5 secs"
            if (propertyName.endsWith(".ms") && !StringUtils.isNumeric(propertyValue.trim())) { // kafka standard time notation
                propertyValue = String.valueOf(FormatUtils.getTimeDuration(propertyValue.trim(), TimeUnit.MILLISECONDS));
            }

            if (isStaticStringFieldNamePresent(propertyName, kafkaConfigClass, CommonClientConfigs.class, SslConfigs.class, SaslConfigs.class)) {
                mapToPopulate.put(propertyName, propertyValue);
            }
        }
    }
}
 

@Override
public ProducerSettings<String, String> apply(final ProducerSettings<String, String> producerSettings,
        final Connection connection) {

    final Optional<String> username = connection.getUsername();
    final Optional<String> password = connection.getPassword();
    // chose to not use isApplicable() but directly check username and password since we need to Optional#get them.
    if (isValid(connection) && username.isPresent() && password.isPresent()) {
        final String saslMechanism = getSaslMechanismOrDefault(connection).toUpperCase();
        final String loginModule = getLoginModuleForSaslMechanism(saslMechanism);
        final String jaasConfig = getJaasConfig(loginModule, username.get(), password.get());

        return producerSettings.withProperty(SaslConfigs.SASL_MECHANISM, saslMechanism)
                .withProperty(SaslConfigs.SASL_JAAS_CONFIG, jaasConfig);
    }

    return producerSettings;
}