def write_krb5_config_file(
task: str,
filename: str,
krb5: sdk_auth.KerberosEnvironment,
) -> str:
"""
Generate a Kerberos config file.
"""
output_file = filename
log.info("Generating %s", output_file)
krb5_file_contents = [
"[libdefaults]",
"default_realm = {}".format(krb5.get_realm()),
"",
"[realms]",
" {realm} = {{".format(realm=krb5.get_realm()),
" kdc = {}".format(krb5.get_kdc_address()),
" }",
]
log.info("%s", krb5_file_contents)
output = sdk_cmd.create_task_text_file(task, output_file,
krb5_file_contents)
log.info(output)
return output_file
def _get_service_options(
allow_access_if_no_acl: bool,
kerberos: sdk_auth.KerberosEnvironment,
zookeeper_dns: typing.List[str],
) -> typing.Dict:
service_options = {
"service": {
"name": config.SERVICE_NAME,
"security": {
"kerberos": {
"enabled": True,
"enabled_for_zookeeper": True,
"kdc": {
"hostname": kerberos.get_host(),
"port": int(kerberos.get_port())
},
"realm": kerberos.get_realm(),
"keytab_secret": kerberos.get_keytab_path(),
},
"authorization": {
"enabled": True,
"super_users": "User:{}".format("super"),
"allow_everyone_if_no_acl_found": allow_access_if_no_acl,
},
},
},
"kafka": {
"kafka_zookeeper_uri": ",".join(zookeeper_dns)
},
}
return service_options
def write_krb5_config_file(
task: str,
filename: str,
krb5: sdk_auth.KerberosEnvironment,
) -> str:
"""
Generate a Kerberos config file.
"""
output_file = filename
log.info("Generating %s", output_file)
krb5_file_contents = [
"[libdefaults]",
"default_realm = {}".format(krb5.get_realm()),
"",
"[realms]",
" {realm} = {{".format(realm=krb5.get_realm()),
" kdc = {}".format(krb5.get_kdc_address()),
" }",
]
log.info("%s", krb5_file_contents)
output = sdk_cmd.create_task_text_file(task, output_file, krb5_file_contents)
log.info(output)
return output_file
def test_forward_kerberos_on_tls_off_plaintext_off(
kerberized_kafka_client: client.KafkaClient, kerberos: sdk_auth.KerberosEnvironment
):
update_options = {
"service": {
"security": {
"kerberos": {
"enabled": True,
"kdc": {"hostname": kerberos.get_host(), "port": int(kerberos.get_port())},
"realm": kerberos.get_realm(),
"keytab_secret": kerberos.get_keytab_path(),
}
}
}
}
update_service(config.PACKAGE_NAME, config.SERVICE_NAME, update_options)
assert kerberized_kafka_client.connect(config.DEFAULT_BROKER_COUNT)
kerberized_kafka_client.check_users_can_read_and_write([TLS_USER], TOPIC_NAME)
def _get_kerberos_options(kerberos: sdk_auth.KerberosEnvironment) -> dict:
options = {
"container": {
"volumes": [
{
"containerPath": "/tmp/kafkaconfig/kafka-client.keytab",
"secret": "kafka_keytab",
}
]
},
"secrets": {"kafka_keytab": {"source": kerberos.get_keytab_path()}},
}
return options