From 30420f0481c5aaee4ce7775ead34141b6b048c25 Mon Sep 17 00:00:00 2001
From: zmstone <zmstone@gmail.com>
Date: Fri, 2 Aug 2024 09:03:46 +0200
Subject: [PATCH] fix: add server_fqdn to kerberos auth config

---
 .../src/emqx_authn_gssapi_schema.erl              |  9 ++++++++-
 rel/i18n/emqx_authn_gssapi_schema.hocon           | 15 ++++++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/apps/emqx_auth_gssapi/src/emqx_authn_gssapi_schema.erl b/apps/emqx_auth_gssapi/src/emqx_authn_gssapi_schema.erl
index f0b72a3ec..6dd0e566e 100644
--- a/apps/emqx_auth_gssapi/src/emqx_authn_gssapi_schema.erl
+++ b/apps/emqx_auth_gssapi/src/emqx_authn_gssapi_schema.erl
@@ -44,9 +44,16 @@ fields(gssapi) ->
                     required => true,
                     desc => ?DESC(principal)
                 })},
-            {keytab_file,
+            {server_fqdn,
                 ?HOCON(binary(), #{
                     required => true,
+                    desc => ?DESC(server_fqdn)
+                })},
+            {keytab_file,
+                ?HOCON(binary(), #{
+                    required => false,
+                    %% This is hidden for now because it has to be /etc/krb5.keytab
+                    importance => ?IMPORTANCE_HIDDEN,
                     desc => ?DESC(keytab_file)
                 })}
         ].
diff --git a/rel/i18n/emqx_authn_gssapi_schema.hocon b/rel/i18n/emqx_authn_gssapi_schema.hocon
index 02c3cc847..875f8c965 100644
--- a/rel/i18n/emqx_authn_gssapi_schema.hocon
+++ b/rel/i18n/emqx_authn_gssapi_schema.hocon
@@ -8,8 +8,21 @@ principal {
         NOTE: The realm in use has to be configured in /etc/krb5.conf in EMQX nodes.~"""
 }
 
+server_fqdn {
+    label: "Server FQDN"
+    desc: """~
+        This is typically the network access point of the service, such as the DNS record of the load balancer endpoint.
+        However, it is not strictly necessary for it to be an accessible network address.
+        Important considerations include:
+
+        - It must match the FQDN used in the server's Kerberos principal, e.g., `mqtt/${SERVER_FQDN}@EXAMPLE.COM`.
+        - The client must use this exact value to request authentication services.
+
+        This ensures that the client and server agree on the identity being authenticated.~"""
+}
+
 keytab_file {
-    label: "keytab file"
+    label: "Keytab File"
     desc: """~
         SASL GSSAPI authentication Kerberos keytab file path.
         NOTE: This file has to be placed in EMQX nodes.~"""