[server] Fix SASL createPrincipal mismatch username and type (#1099)

Author: loserwang1024

fluss-client/src/test/java/com/alibaba/fluss/client/security/acl/FlussAuthorizationITCase.java

@@ -102,19 +102,20 @@ public class FlussAuthorizationITCase {
     @BeforeEach
     protected void setup() throws Exception {
         Configuration conf = FLUSS_CLUSTER_EXTENSION.getClientConfig("CLIENT");
-        conf.set(ConfigOptions.CLIENT_SECURITY_PROTOCOL, "username_password");
+        conf.set(ConfigOptions.CLIENT_SECURITY_PROTOCOL, "sasl");
+        conf.set(ConfigOptions.CLIENT_SASL_MECHANISM, "plain");
         Configuration rootConf = new Configuration(conf);
-        rootConf.setString("client.security.username_password.username", "root");
-        rootConf.setString("client.security.username_password.password", "password");
+        rootConf.setString("client.security.sasl.username", "root");
+        rootConf.setString("client.security.sasl.password", "password");
         rootConn = ConnectionFactory.createConnection(rootConf);
         rootAdmin = rootConn.getAdmin();
 
         guestConf = new Configuration(conf);
-        guestConf.setString("client.security.username_password.username", "guest");
-        guestConf.setString("client.security.username_password.password", "password2");
+        guestConf.setString("client.security.sasl.username", "guest");
+        guestConf.setString("client.security.sasl.password", "password2");
         guestConn = ConnectionFactory.createConnection(guestConf);
         guestAdmin = guestConn.getAdmin();
-        guestPrincipal = new FlussPrincipal("guest", "USER");
+        guestPrincipal = new FlussPrincipal("guest", "User");
 
         // prepare default database and table
         rootAdmin
@@ -164,9 +165,10 @@ void testNoAuthorizer() throws Exception {
         try {
             flussClusterExtension.start();
             Configuration conf = new Configuration(flussClusterExtension.getClientConfig("CLIENT"));
-            conf.set(ConfigOptions.CLIENT_SECURITY_PROTOCOL, "username_password");
-            conf.setString("client.security.username_password.username", "root");
-            conf.setString("client.security.username_password.password", "password");
+            conf.set(ConfigOptions.CLIENT_SECURITY_PROTOCOL, "sasl");
+            conf.set(ConfigOptions.CLIENT_SASL_MECHANISM, "plain");
+            conf.setString("client.security.sasl.username", "root");
+            conf.setString("client.security.sasl.password", "password");
             try (Connection connection = ConnectionFactory.createConnection(conf);
                     Admin admin = connection.getAdmin()) {
                 assertThatThrownBy(
@@ -230,7 +232,7 @@ void testAclOperation() throws Exception {
         assertThat(guestAdmin.listAcls(AclBindingFilter.ANY).get()).hasSize(1);
 
         // test whether the user have authorization to operate create and drop acls.
-        FlussPrincipal user1 = new FlussPrincipal("user1", "USER");
+        FlussPrincipal user1 = new FlussPrincipal("user1", "User");
         AclBinding user1AclBinding =
                 new AclBinding(
                         Resource.table("test_db", "test_table"),
@@ -684,10 +686,14 @@ private static Configuration initConfig() {
         conf.set(ConfigOptions.CLIENT_WRITER_BATCH_SIZE, MemorySize.parse("1kb"));
 
         // set security information.
+        conf.setString(ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT:sasl");
+        conf.setString("security.sasl.enabled.mechanisms", "plain");
         conf.setString(
-                ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT:username_password");
-        conf.setString("security.username_password.credentials", "root:password,guest:password2");
-        conf.set(ConfigOptions.SUPER_USERS, "USER:root");
+                "security.sasl.plain.jaas.config",
+                "com.alibaba.fluss.security.auth.sasl.plain.PlainLoginModule required "
+                        + "    user_root=\"password\" "
+                        + "    user_guest=\"password2\";");
+        conf.set(ConfigOptions.SUPER_USERS, "User:root");
         conf.set(ConfigOptions.AUTHORIZER_ENABLED, true);
         return conf;
     }

fluss-common/src/main/java/com/alibaba/fluss/config/ConfigOptions.java

@@ -1092,7 +1092,7 @@ public class ConfigOptions {
                             "Enable metrics for client. When metrics is enabled, the client "
                                     + "will collect metrics and report by the JMX metrics reporter.");
 
-    public static final ConfigOption<String> CLIENT_MECHANISM =
+    public static final ConfigOption<String> CLIENT_SASL_MECHANISM =
             key("client.security.sasl.mechanism")
                     .stringType()
                     .defaultValue("PLAIN")

fluss-common/src/main/java/com/alibaba/fluss/security/auth/sasl/authenticator/SaslClientAuthenticator.java

@@ -29,10 +29,10 @@
 
 import java.util.Map;
 
-import static com.alibaba.fluss.config.ConfigOptions.CLIENT_MECHANISM;
 import static com.alibaba.fluss.config.ConfigOptions.CLIENT_SASL_JAAS_CONFIG;
 import static com.alibaba.fluss.config.ConfigOptions.CLIENT_SASL_JAAS_PASSWORD;
 import static com.alibaba.fluss.config.ConfigOptions.CLIENT_SASL_JAAS_USERNAME;
+import static com.alibaba.fluss.config.ConfigOptions.CLIENT_SASL_MECHANISM;
 import static com.alibaba.fluss.security.auth.sasl.jaas.SaslServerFactory.createSaslClient;
 
 /** An authenticator that uses SASL to authenticate with a server. */
@@ -47,7 +47,7 @@ public class SaslClientAuthenticator implements ClientAuthenticator {
     private LoginManager loginManager;
 
     public SaslClientAuthenticator(Configuration configuration) {
-        this.mechanism = configuration.get(CLIENT_MECHANISM).toUpperCase();
+        this.mechanism = configuration.get(CLIENT_SASL_MECHANISM).toUpperCase();
         String jaasConfigStr = configuration.getString(CLIENT_SASL_JAAS_CONFIG);
         if (jaasConfigStr == null && mechanism.equals(PlainSaslServer.PLAIN_MECHANISM)) {
             String username = configuration.get(CLIENT_SASL_JAAS_USERNAME);

fluss-common/src/main/java/com/alibaba/fluss/security/auth/sasl/authenticator/SaslServerAuthenticator.java

@@ -147,6 +147,6 @@ public boolean isCompleted() {
 
     @Override
     public FlussPrincipal createPrincipal() {
-        return new FlussPrincipal("User", saslServer.getAuthorizationID());
+        return new FlussPrincipal(saslServer.getAuthorizationID(), "User");
     }
 }

fluss-flink/fluss-flink-common/src/test/java/com/alibaba/fluss/flink/catalog/FlinkCatalogFactoryTest.java

@@ -69,9 +69,10 @@ public void testCreateCatalog() {
 
         // test security configs
         Map<String, String> securityMap = new HashMap<>();
-        securityMap.put(ConfigOptions.CLIENT_SECURITY_PROTOCOL.key(), "username_password");
-        securityMap.put("client.security.username_password.username", "root");
-        securityMap.put("client.security.username_password.password", "password");
+        securityMap.put(ConfigOptions.CLIENT_SECURITY_PROTOCOL.key(), "sasl");
+        securityMap.put(ConfigOptions.CLIENT_SASL_MECHANISM.key(), "plain");
+        securityMap.put("client.security.sasl.username", "root");
+        securityMap.put("client.security.sasl.password", "password");
 
         options.putAll(securityMap);
         FlinkCatalog actualCatalog2 =

fluss-flink/fluss-flink-common/src/test/java/com/alibaba/fluss/flink/catalog/FlinkCatalogITCase.java

@@ -591,9 +591,13 @@ void testCreateTableWithUnknownOptions() {
     void testAuthentication() throws Exception {
         String clientListenerName = "CLIENT";
         Configuration serverConfig = new Configuration();
+        serverConfig.setString(ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT:sasl");
+        serverConfig.setString("security.sasl.enabled.mechanisms", "plain");
         serverConfig.setString(
-                ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT:username_password");
-        serverConfig.setString("security.username_password.credentials", "root:password");
+                "security.sasl.plain.jaas.config",
+                "com.alibaba.fluss.security.auth.sasl.plain.PlainLoginModule required "
+                        + "    user_root=\"password\" "
+                        + "    user_guest=\"password2\";");
         serverConfig.setString(ConfigOptions.SUPER_USERS.key(), "USER:root");
         FlussClusterExtension flussClusterExtension =
                 FlussClusterExtension.builder()
@@ -629,9 +633,10 @@ void testAuthentication() throws Exception {
                             "The connection has not completed authentication yet. This may be caused by a missing or incorrect configuration of 'client.security.protocol' on the client side.");
 
             Map<String, String> clientConfig = new HashMap<>();
-            clientConfig.put(ConfigOptions.CLIENT_SECURITY_PROTOCOL.key(), "username_password");
-            clientConfig.put("client.security.username_password.username", "root");
-            clientConfig.put("client.security.username_password.password", "password");
+            clientConfig.put(ConfigOptions.CLIENT_SECURITY_PROTOCOL.key(), "sasl");
+            clientConfig.put(ConfigOptions.CLIENT_SASL_MECHANISM.key(), "plain");
+            clientConfig.put("client.security.sasl.username", "root");
+            clientConfig.put("client.security.sasl.password", "password");
             authenticateCatalog =
                     new FlinkCatalog(
                             CATALOG_NAME,

fluss-flink/fluss-flink-common/src/test/java/com/alibaba/fluss/flink/procedure/FlinkProcedureITCase.java

@@ -75,9 +75,10 @@ void before() throws ExecutionException, InterruptedException {
                         "create catalog %s with ( \n"
                                 + "'type' = 'fluss', \n"
                                 + "'bootstrap.servers' = '%s', \n"
-                                + "'client.security.protocol' = 'username_password', \n"
-                                + "'client.security.username_password.username' = 'root', \n"
-                                + "'client.security.username_password.password' = 'password' \n"
+                                + "'client.security.protocol' = 'sasl', \n"
+                                + "'client.security.sasl.mechanism' = 'PLAIN', \n"
+                                + "'client.security.sasl.username' = 'root', \n"
+                                + "'client.security.sasl.password' = 'password' \n"
                                 + ")",
                         CATALOG_NAME, bootstrapServers);
         tEnv.executeSql(catalogDDL).await();
@@ -271,10 +272,14 @@ private static Configuration initConfig() {
         conf.set(ConfigOptions.CLIENT_WRITER_BATCH_SIZE, MemorySize.parse("1kb"));
 
         // set security information.
+        conf.setString(ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT:sasl");
+        conf.setString("security.sasl.enabled.mechanisms", "plain");
         conf.setString(
-                ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT:username_password");
-        conf.setString("security.username_password.credentials", "root:password,guest:password2");
-        conf.set(ConfigOptions.SUPER_USERS, "USER:root");
+                "security.sasl.plain.jaas.config",
+                "com.alibaba.fluss.security.auth.sasl.plain.PlainLoginModule required "
+                        + "    user_root=\"password\" "
+                        + "    user_guest=\"password2\";");
+        conf.set(ConfigOptions.SUPER_USERS, "User:root");
         conf.set(ConfigOptions.AUTHORIZER_ENABLED, true);
         return conf;
     }

fluss-flink/fluss-flink-common/src/test/java/com/alibaba/fluss/flink/security/acl/FlinkAuthorizationITCase.java

@@ -72,7 +72,7 @@ abstract class FlinkAuthorizationITCase extends AbstractTestBase {
     static final String CATALOG_NAME = "testcatalog";
     static final String ADMIN_CATALOG_NAME = "test_admin_catalog";
     static final String DEFAULT_DB = FlinkCatalogOptions.DEFAULT_DATABASE.defaultValue();
-    static FlussPrincipal guest = new FlussPrincipal("guest", "USER");
+    static FlussPrincipal guest = new FlussPrincipal("guest", "User");
     static Configuration clientConf;
 
     private TableEnvironment tEnv;
@@ -81,7 +81,6 @@ abstract class FlinkAuthorizationITCase extends AbstractTestBase {
     @BeforeAll
     static void beforeAll() {
         clientConf = FLUSS_CLUSTER_EXTENSION.getClientConfig("CLIENT");
-        clientConf.set(ConfigOptions.CLIENT_SECURITY_PROTOCOL, "username_password");
     }
 
     @BeforeEach
@@ -96,9 +95,10 @@ void before() throws ExecutionException, InterruptedException {
                         "create catalog %s with ( \n"
                                 + "'type' = 'fluss', \n"
                                 + "'bootstrap.servers' = '%s', \n"
-                                + "'client.security.protocol' = 'username_password', \n"
-                                + "'client.security.username_password.username' = 'guest', \n"
-                                + "'client.security.username_password.password' = 'password2' \n"
+                                + "'client.security.protocol' = 'sasl', \n"
+                                + "'client.security.sasl.mechanism' = 'PLAIN', \n"
+                                + "'client.security.sasl.username' = 'guest', \n"
+                                + "'client.security.sasl.password' = 'password2' \n"
                                 + ")",
                         CATALOG_NAME, bootstrapServers);
         tEnv.executeSql(createCatalogDDL);
@@ -110,9 +110,10 @@ void before() throws ExecutionException, InterruptedException {
                         "create catalog %s with ( \n"
                                 + "'type' = 'fluss', \n"
                                 + "'bootstrap.servers' = '%s', \n"
-                                + "'client.security.protocol' = 'username_password', \n"
-                                + "'client.security.username_password.username' = 'root', \n"
-                                + "'client.security.username_password.password' = 'password' \n"
+                                + "'client.security.protocol' = 'sasl', \n"
+                                + "'client.security.sasl.mechanism' = 'PLAIN', \n"
+                                + "'client.security.sasl.username' = 'root', \n"
+                                + "'client.security.sasl.password' = 'password' \n"
                                 + ")",
                         ADMIN_CATALOG_NAME, bootstrapServers);
         tEnv.executeSql(createAminCatalogDDL).await();
@@ -421,10 +422,14 @@ private static Configuration initConfig() {
         conf.set(ConfigOptions.CLIENT_WRITER_BATCH_SIZE, MemorySize.parse("1kb"));
 
         // set security information.
+        conf.setString(ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT:sasl");
+        conf.setString("security.sasl.enabled.mechanisms", "plain");
         conf.setString(
-                ConfigOptions.SERVER_SECURITY_PROTOCOL_MAP.key(), "CLIENT:username_password");
-        conf.setString("security.username_password.credentials", "root:password,guest:password2");
-        conf.set(ConfigOptions.SUPER_USERS, "USER:root");
+                "security.sasl.plain.jaas.config",
+                "com.alibaba.fluss.security.auth.sasl.plain.PlainLoginModule required "
+                        + "    user_root=\"password\" "
+                        + "    user_guest=\"password2\";");
+        conf.set(ConfigOptions.SUPER_USERS, "User:root");
         conf.set(ConfigOptions.AUTHORIZER_ENABLED, true);
         return conf;
     }