1 год назад · 9418ed02bf
--- a/apps/emqx_auth_kerberos/src/emqx_authn_kerberos.erl
+++ b/apps/emqx_auth_kerberos/src/emqx_authn_kerberos.erl
@@ -66,8 +66,16 @@ authenticate(_Credential, _State) ->
 
				 %% Internal functions
			
 
				 %%------------------------------------------------------------------------------
			
 
				 
			
 
				+%% @private Parse server principal to get server FQDN.
			
 
				+%% The principal format is validated by config schema, so it can be assertive here.
			
 
				+get_server_fqdn(Principal) ->
			
 
				+    Pattern = "^([a-zA-Z0-9._-]+)/([a-zA-Z0-9.-]+)@",
			
 
				+    {match, [_, FQDN]} = re:run(Principal, Pattern, [{capture, all_but_first, binary}]),
			
 
				+    FQDN.
			
 
				+
			
 
				 auth_new(Principal) ->
			
 
				-    case sasl_auth:server_new(<<"emqx">>, Principal) of
			
 
				+    ServerFQDN = get_server_fqdn(Principal),
			
 
				+    case sasl_auth:server_new(<<"emqx">>, Principal, ServerFQDN) of
			
 
				         {ok, SaslConn} ->
			
 
				             {ok, SaslConn};
			
 
				         Error ->
			
--- a/apps/emqx_auth_kerberos/src/emqx_authn_kerberos_schema.erl
+++ b/apps/emqx_auth_kerberos/src/emqx_authn_kerberos_schema.erl
@@ -42,12 +42,8 @@ fields(kerberos) ->
 
				             {principal,
			
 
				                 ?HOCON(binary(), #{
			
 
				                     required => true,
			
 
				-                    desc => ?DESC(principal)
			
 
				-                })},
			
 
				-            {server_fqdn,
			
 
				-                ?HOCON(binary(), #{
			
 
				-                    required => true,
			
 
				-                    desc => ?DESC(server_fqdn)
			
 
				+                    desc => ?DESC(principal),
			
 
				+                    validator => fun validate_principal/1
			
 
				                 })},
			
 
				             {keytab_file,
			
 
				                 ?HOCON(binary(), #{
			
@@ -62,3 +58,10 @@ desc(kerberos) ->
 
				     "Settings for Kerberos authentication.";
			
 
				 desc(_) ->
			
 
				     undefined.
			
 
				+
			
 
				+validate_principal(S) ->
			
 
				+    P = <<"^([a-zA-Z0-9\\._-]+)/([a-zA-Z0-9\\.-]+)(?:@([A-Z0-9\\.-]+))?$">>,
			
 
				+    case re:run(S, P) of
			
 
				+        nomatch -> {error, invalid_server_principal_string};
			
 
				+        {match, _} -> ok
			
 
				+    end.
			
--- a/rel/i18n/emqx_authn_kerberos_schema.hocon
+++ b/rel/i18n/emqx_authn_kerberos_schema.hocon
@@ -8,19 +8,6 @@ principal {
 
				         NOTE: The realm in use has to be configured in /etc/krb5.conf in EMQX nodes.~"""
			
 
				 }
			
 
				 
			
 
				-server_fqdn {
			
 
				-    label: "Server FQDN"
			
 
				-    desc: """~
			
 
				-        This is typically the network access point of the service, such as the DNS record of the load balancer endpoint.
			
 
				-        However, it is not strictly necessary for it to be an accessible network address.
			
 
				-        Important considerations include:
			
 
				-
			
 
				-        - It must match the FQDN used in the server's Kerberos principal, e.g., `mqtt/${SERVER_FQDN}@EXAMPLE.COM`.
			
 
				-        - The client must use this exact value to request authentication services.
			
 
				-
			
 
				-        This ensures that the client and server agree on the identity being authenticated.~"""
			
 
				-}
			
 
				-
			
 
				 keytab_file {
			
 
				     label: "Keytab File"
			
 
				     desc: """~