diff --git a/.ci/docker-compose-file/docker-compose-kafka.yaml b/.ci/docker-compose-file/docker-compose-kafka.yaml index 89479dee9..7d43ce7d5 100644 --- a/.ci/docker-compose-file/docker-compose-kafka.yaml +++ b/.ci/docker-compose-file/docker-compose-kafka.yaml @@ -16,24 +16,6 @@ services: user: "${DOCKER_USER:-root}" volumes: - /tmp/emqx-ci/emqx-shared-secret:/var/lib/secret - kdc: - hostname: kdc.emqx.net - image: ghcr.io/emqx/emqx-builder/5.3-9:1.15.7-26.2.5-3-ubuntu22.04 - container_name: kdc.emqx.net - expose: - - 88 # kdc - - 749 # admin server - # ports: - # - 88:88 - # - 749:749 - networks: - emqx_bridge: - volumes: - - /tmp/emqx-ci/emqx-shared-secret:/var/lib/secret - - ./kerberos/krb5.conf:/etc/kdc/krb5.conf - - ./kerberos/krb5.conf:/etc/krb5.conf - - ./kerberos/run.sh:/usr/bin/run.sh - command: run.sh kafka_1: image: wurstmeister/kafka:2.13-2.8.1 # ports: @@ -76,4 +58,3 @@ services: - ./kerberos/krb5.conf:/etc/kdc/krb5.conf - ./kerberos/krb5.conf:/etc/krb5.conf command: kafka-entrypoint.sh - diff --git a/.ci/docker-compose-file/docker-compose-kdc.yaml b/.ci/docker-compose-file/docker-compose-kdc.yaml new file mode 100644 index 000000000..a6b90546f --- /dev/null +++ b/.ci/docker-compose-file/docker-compose-kdc.yaml @@ -0,0 +1,21 @@ +version: '3.9' + +services: + kdc: + hostname: kdc.emqx.net + image: ghcr.io/emqx/emqx-builder/5.3-9:1.15.7-26.2.5-3-ubuntu22.04 + container_name: kdc.emqx.net + expose: + - 88 # kdc + - 749 # admin server + # ports: + # - 88:88 + # - 749:749 + networks: + emqx_bridge: + volumes: + - /tmp/emqx-ci/emqx-shared-secret:/var/lib/secret + - ./kerberos/krb5.conf:/etc/kdc/krb5.conf + - ./kerberos/krb5.conf:/etc/krb5.conf + - ./kerberos/run.sh:/usr/bin/run.sh + command: run.sh diff --git a/.ci/docker-compose-file/kerberos/krb5.conf b/.ci/docker-compose-file/kerberos/krb5.conf index 032236888..1af3e75d5 100644 --- a/.ci/docker-compose-file/kerberos/krb5.conf +++ b/.ci/docker-compose-file/kerberos/krb5.conf @@ -6,6 +6,7 @@ rdns = false dns_lookup_kdc = no dns_lookup_realm = no + default_keytab_name = /var/lib/secret/erlang.keytab [realms] KDC.EMQX.NET = { diff --git a/.ci/docker-compose-file/kerberos/run.sh b/.ci/docker-compose-file/kerberos/run.sh index c9580073f..27e0facbf 100755 --- a/.ci/docker-compose-file/kerberos/run.sh +++ b/.ci/docker-compose-file/kerberos/run.sh @@ -6,20 +6,31 @@ echo "Remove old keytabs" rm -f /var/lib/secret/kafka.keytab > /dev/null 2>&1 rm -f /var/lib/secret/rig.keytab > /dev/null 2>&1 +rm -f /var/lib/secret/erlang.keytab > /dev/null 2>&1 +rm -f /var/lib/secret/krb_authn_cli.keytab > /dev/null 2>&1 + echo "Create realm" kdb5_util -P emqx -r KDC.EMQX.NET create -s echo "Add principals" -kadmin.local -w password -q "add_principal -randkey kafka/kafka-1.emqx.net@KDC.EMQX.NET" +kadmin.local -w password -q "add_principal -randkey kafka/kafka-1.emqx.net@KDC.EMQX.NET" > /dev/null kadmin.local -w password -q "add_principal -randkey rig@KDC.EMQX.NET" > /dev/null +# For Kerberos Authn +kadmin.local -w password -q "add_principal -randkey emqx/erlang.emqx.net@KDC.EMQX.NET" > /dev/null +kadmin.local -w password -q "add_principal -randkey krb_authn_cli@KDC.EMQX.NET" > /dev/null + echo "Create keytabs" kadmin.local -w password -q "ktadd -k /var/lib/secret/kafka.keytab -norandkey kafka/kafka-1.emqx.net@KDC.EMQX.NET " > /dev/null kadmin.local -w password -q "ktadd -k /var/lib/secret/rig.keytab -norandkey rig@KDC.EMQX.NET " > /dev/null +# For Kerberos Authn +kadmin.local -w password -q "ktadd -k /var/lib/secret/erlang.keytab -norandkey emqx/erlang.emqx.net@KDC.EMQX.NET " > /dev/null +kadmin.local -w password -q "ktadd -k /var/lib/secret/krb_authn_cli.keytab -norandkey krb_authn_cli@KDC.EMQX.NET " > /dev/null + echo STARTING KDC /usr/sbin/krb5kdc -n diff --git a/apps/emqx_auth_kerberos/docker-ct b/apps/emqx_auth_kerberos/docker-ct new file mode 100644 index 000000000..93435c161 --- /dev/null +++ b/apps/emqx_auth_kerberos/docker-ct @@ -0,0 +1 @@ +kdc diff --git a/apps/emqx_auth_kerberos/test/emqx_authn_kerberos_SUITE.erl b/apps/emqx_auth_kerberos/test/emqx_authn_kerberos_SUITE.erl index cfdb70e8f..4df1152e9 100644 --- a/apps/emqx_auth_kerberos/test/emqx_authn_kerberos_SUITE.erl +++ b/apps/emqx_auth_kerberos/test/emqx_authn_kerberos_SUITE.erl @@ -16,15 +16,15 @@ -define(PATH, [authentication]). --define(INVALID_SVR_PRINCIPAL, <<"not-exists/emqx-full.test@KDC.EMQX.NET">>). +-define(INVALID_SVR_PRINCIPAL, <<"not-exists/erlang.emqx.nett@KDC.EMQX.NET">>). --define(SVR_HOST, "emqx.emqx.net"). --define(SVR_PRINCIPAL, <<"emqx/emqx.emqx.net@KDC.EMQX.NET">>). --define(SVR_KEYTAB_FILE, <<"/home/firest/server.keytab">>). +-define(SVR_HOST, "erlang.emqx.net"). +-define(SVR_PRINCIPAL, <<"emqx/erlang.emqx.net@KDC.EMQX.NET">>). +-define(SVR_KEYTAB_FILE, <<"/var/lib/secret/erlang.keytab">>). --define(CLI_NAME, "client"). --define(CLI_PRINCIPAL, <<"client@KDC.EMQX.NET">>). --define(CLI_KEYTAB_FILE, <<"/home/firest/client.keytab">>). +-define(CLI_NAME, "krb_authn_cli"). +-define(CLI_PRINCIPAL, <<"krb_authn_cli@KDC.EMQX.NET">>). +-define(CLI_KEYTAB_FILE, <<"/var/lib/secret/krb_authn_cli.keytab">>). -define(HOST, "127.0.0.1"). -define(PORT, 1883). diff --git a/apps/emqx_bridge_kafka/docker-ct b/apps/emqx_bridge_kafka/docker-ct index 5288ee246..86d175b28 100644 --- a/apps/emqx_bridge_kafka/docker-ct +++ b/apps/emqx_bridge_kafka/docker-ct @@ -1,2 +1,3 @@ toxiproxy +kdc kafka diff --git a/scripts/ct/run.sh b/scripts/ct/run.sh index 4a6bf3e38..512ac2879 100755 --- a/scripts/ct/run.sh +++ b/scripts/ct/run.sh @@ -256,6 +256,9 @@ for dep in ${CT_DEPS}; do couchbase) FILES+=( '.ci/docker-compose-file/docker-compose-couchbase.yaml' ) ;; + kdc) + FILES+=( '.ci/docker-compose-file/docker-compose-kdc.yaml' ) + ;; *) echo "unknown_ct_dependency $dep" exit 1