fix: add server_fqdn to kerberos auth config

2024-08-02 09:03:46 +02:00 · 2024-08-02 09:03:46 +02:00 · 30420f0481
parent 319530ddf2
commit 30420f0481
2 changed files with 22 additions and 2 deletions
--- a/apps/emqx_auth_gssapi/src/emqx_authn_gssapi_schema.erl
+++ b/apps/emqx_auth_gssapi/src/emqx_authn_gssapi_schema.erl
@ -44,9 +44,16 @@ fields(gssapi) ->
                    required => true,
                    desc => ?DESC(principal)
                })},
-            {keytab_file,
+            {server_fqdn,
                ?HOCON(binary(), #{
                    required => true,
+                    desc => ?DESC(server_fqdn)
+                })},
+            {keytab_file,
+                ?HOCON(binary(), #{
+                    required => false,
+                    %% This is hidden for now because it has to be /etc/krb5.keytab
+                    importance => ?IMPORTANCE_HIDDEN,
                    desc => ?DESC(keytab_file)
                })}
        ].
--- a/rel/i18n/emqx_authn_gssapi_schema.hocon
+++ b/rel/i18n/emqx_authn_gssapi_schema.hocon
@ -8,8 +8,21 @@ principal {
        NOTE: The realm in use has to be configured in /etc/krb5.conf in EMQX nodes.~"""
 }

+server_fqdn {
+    label: "Server FQDN"
+    desc: """~
+        This is typically the network access point of the service, such as the DNS record of the load balancer endpoint.
+        However, it is not strictly necessary for it to be an accessible network address.
+        Important considerations include:
+
+        - It must match the FQDN used in the server's Kerberos principal, e.g., `mqtt/${SERVER_FQDN}@EXAMPLE.COM`.
+        - The client must use this exact value to request authentication services.
+
+        This ensures that the client and server agree on the identity being authenticated.~"""
+}
+
 keytab_file {
-    label: "keytab file"
+    label: "Keytab File"
    desc: """~
        SASL GSSAPI authentication Kerberos keytab file path.
        NOTE: This file has to be placed in EMQX nodes.~"""