refactor: get server FQDN from principal
This commit is contained in:
zmstone
parent
af28b52152
commit
9ba0c33256
|
|
@ -66,8 +66,16 @@ authenticate(_Credential, _State) ->
|
||||||
%% Internal functions
|
%% Internal functions
|
||||||
%%------------------------------------------------------------------------------
|
%%------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
%% @private Parse server principal to get server FQDN.
|
||||||
|
%% The principal format is validated by config schema, so it can be assertive here.
|
||||||
|
get_server_fqdn(Principal) ->
|
||||||
|
Pattern = "^([a-zA-Z0-9._-]+)/([a-zA-Z0-9.-]+)@",
|
||||||
|
{match, [_, FQDN]} = re:run(Principal, Pattern, [{capture, all_but_first, binary}]),
|
||||||
|
FQDN.
|
||||||
|
|
||||||
auth_new(Principal) ->
|
auth_new(Principal) ->
|
||||||
case sasl_auth:server_new(<<"emqx">>, Principal) of
|
ServerFQDN = get_server_fqdn(Principal),
|
||||||
|
case sasl_auth:server_new(<<"emqx">>, Principal, ServerFQDN) of
|
||||||
{ok, SaslConn} ->
|
{ok, SaslConn} ->
|
||||||
{ok, SaslConn};
|
{ok, SaslConn};
|
||||||
Error ->
|
Error ->
|
||||||
|
|
|
||||||
|
|
@ -42,12 +42,8 @@ fields(kerberos) ->
|
||||||
{principal,
|
{principal,
|
||||||
?HOCON(binary(), #{
|
?HOCON(binary(), #{
|
||||||
required => true,
|
required => true,
|
||||||
desc => ?DESC(principal)
|
desc => ?DESC(principal),
|
||||||
})},
|
validator => fun validate_principal/1
|
||||||
{server_fqdn,
|
|
||||||
?HOCON(binary(), #{
|
|
||||||
required => true,
|
|
||||||
desc => ?DESC(server_fqdn)
|
|
||||||
})},
|
})},
|
||||||
{keytab_file,
|
{keytab_file,
|
||||||
?HOCON(binary(), #{
|
?HOCON(binary(), #{
|
||||||
|
|
@ -62,3 +58,10 @@ desc(kerberos) ->
|
||||||
"Settings for Kerberos authentication.";
|
"Settings for Kerberos authentication.";
|
||||||
desc(_) ->
|
desc(_) ->
|
||||||
undefined.
|
undefined.
|
||||||
|
|
||||||
|
validate_principal(S) ->
|
||||||
|
P = <<"^([a-zA-Z0-9\\._-]+)/([a-zA-Z0-9\\.-]+)(?:@([A-Z0-9\\.-]+))?$">>,
|
||||||
|
case re:run(S, P) of
|
||||||
|
nomatch -> {error, invalid_server_principal_string};
|
||||||
|
{match, _} -> ok
|
||||||
|
end.
|
||||||
|
|
|
||||||
|
|
@ -8,19 +8,6 @@ principal {
|
||||||
NOTE: The realm in use has to be configured in /etc/krb5.conf in EMQX nodes.~"""
|
NOTE: The realm in use has to be configured in /etc/krb5.conf in EMQX nodes.~"""
|
||||||
}
|
}
|
||||||
|
|
||||||
server_fqdn {
|
|
||||||
label: "Server FQDN"
|
|
||||||
desc: """~
|
|
||||||
This is typically the network access point of the service, such as the DNS record of the load balancer endpoint.
|
|
||||||
However, it is not strictly necessary for it to be an accessible network address.
|
|
||||||
Important considerations include:
|
|
||||||
|
|
||||||
- It must match the FQDN used in the server's Kerberos principal, e.g., `mqtt/${SERVER_FQDN}@EXAMPLE.COM`.
|
|
||||||
- The client must use this exact value to request authentication services.
|
|
||||||
|
|
||||||
This ensures that the client and server agree on the identity being authenticated.~"""
|
|
||||||
}
|
|
||||||
|
|
||||||
keytab_file {
|
keytab_file {
|
||||||
label: "Keytab File"
|
label: "Keytab File"
|
||||||
desc: """~
|
desc: """~
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue