Ansieng 4748 jolokia ep

molecule/mtls-debian12/molecule.yml

@@ -201,5 +201,11 @@ provisioner:
         jolokia_user: user1
         jolokia_password: pass
 
+        # Enable Jolokia access control for security
+        jolokia_access_control_enabled: true
+        kafka_controller_jolokia_access_control_enabled: true
+        kafka_controller_jolokia_access_control_custom_file_enabled: true
+        kafka_controller_jolokia_access_control_file_src_path: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/roles/kafka_controller/templates/jolokia_migration_temp.xml.j2"
+
         confluent_cli_download_enabled: true
-        custom_java_path: /opt/jdk17    # Use custom java 17
+        custom_java_path: /opt/jdk17 # Use custom java 17

molecule/zookeeper-digest-rhel/molecule.yml

@@ -125,3 +125,14 @@ provisioner:
         sasl_protocol: plain
 
         zookeeper_chroot: "/kafka"
+        # Add these to the group_vars/all section:
+        jolokia_enabled: true
+        jolokia_auth_mode: basic
+        jolokia_user: user1
+        jolokia_password: pass
+
+        # Configure Jolokia access control
+        kafka_controller_jolokia_enabled: true
+        kafka_controller_jolokia_access_control_enabled: true
+        kafka_controller_jolokia_access_control_custom_file_enabled: true
+        kafka_controller_jolokia_access_control_file_src_path: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/roles/kafka_controller/templates/jolokia_migration_temp.xml.j2"

playbooks/ZKtoKraftMigration.yml

@@ -5,11 +5,114 @@
 - import_playbook: kafka_controller.yml
   tags: migrate_to_dual_write
 
+#todo:should check if we can hit the jolokia endppint or not, if no the fail and print the error message, continue on yes
+
+- name: Validate Jolokia Endpoint Access
+  hosts: kafka_controller
+  gather_facts: false
+  tasks:
+    - import_role:
+        name: variables
+
+    - name: Test Jolokia Endpoint Access (No Auth)
+      uri:
+        url: "{{ 'https' if kafka_controller_jolokia_ssl_enabled|bool else 'http' }}://localhost:{{kafka_controller_jolokia_port}}/jolokia/list"
+        validate_certs: false
+        return_content: true
+        status_code: 200
+      register: jolokia_no_auth_result
+      failed_when: false
+
+    - name: Test Jolokia Endpoint Access (Basic Auth)
+      uri:
+        url: "{{ 'https' if kafka_controller_jolokia_ssl_enabled|bool else 'http' }}://localhost:{{kafka_controller_jolokia_port}}/jolokia/list"
+        validate_certs: false
+        return_content: true
+        force_basic_auth: true
+        url_username: "{{ jolokia_user }}"
+        url_password: "{{ jolokia_password }}"
+        status_code: 200
+      register: jolokia_basic_auth_result
+      failed_when: false
+
+    - name: Check if Either Auth Method Succeeded
+      set_fact:
+        jolokia_accessible: >-
+          {{
+            (jolokia_no_auth_result.status is defined and jolokia_no_auth_result.status == 200) or
+            (jolokia_basic_auth_result.status is defined and jolokia_basic_auth_result.status == 200)
+          }}
+
+    - name: Fail if Both Auth Methods Failed
+      fail:
+        msg: |
+          ERROR: Unable to access Jolokia endpoint with either authentication method!
+
+          Endpoint: {{ 'https' if kafka_controller_jolokia_ssl_enabled|bool else 'http' }}://localhost:{{kafka_controller_jolokia_port}}/jolokia/list
+
+          No Auth Result: {{ jolokia_no_auth_result.status | default('Connection Failed') }}
+          Basic Auth Result: {{ jolokia_basic_auth_result.status | default('Connection Failed') }}
+
+          Possible causes:
+          1. Jolokia access control XML file is blocking access
+          2. Jolokia service is not running properly
+          3. Both authentication methods are misconfigured
+          4. SSL/TLS configuration issues
+
+          Please check your jolokia_access_control_custom_file_enabled and
+          jolokia_access_control_file_src_path configuration.
+      when: not jolokia_accessible|bool
+
+    - name: Success - Jolokia Endpoint is Accessible
+      debug:
+        msg: |
+          ✅ SUCCESS: Jolokia endpoint is accessible and ready for ZK to KRaft migration
+          Endpoint: {{ 'https' if kafka_controller_jolokia_ssl_enabled|bool else 'http' }}://localhost:{{kafka_controller_jolokia_port}}/jolokia/list
+          No Auth: {{ jolokia_no_auth_result.status | default('Failed') }}
+          Basic Auth: {{ jolokia_basic_auth_result.status | default('Failed') }}
+          At least one method succeeded!
+      when: jolokia_accessible|bool
+
 - import_playbook: kafka_broker.yml
   vars:
     deployment_strategy: 'serial'
   tags: migrate_to_dual_write
 
+- name: Deploy Temporary Migration Jolokia Policy
+  hosts: kafka_controller
+  gather_facts: false
+  tasks:
+    - import_role:
+        name: variables
+
+    - name: Backup Current Jolokia Access Control XML (if exists)
+      copy:
+        src: "{{ kafka_controller_jolokia_access_control_dest_path }}"
+        dest: "{{ kafka_controller_jolokia_access_control_dest_path }}.backup"
+        remote_src: true
+      failed_when: false
+      when: kafka_controller_jolokia_access_control_enabled|bool
+
+    - name: Deploy Temporary Migration-Specific Jolokia Access Control XML
+      template:
+        src: jolokia_migration_temp.xml.j2
+        dest: "{{ kafka_controller_jolokia_access_control_dest_path }}"
+        mode: '640'
+        owner: "{{ kafka_controller_user }}"
+        group: "{{ kafka_controller_group }}"
+      when: kafka_controller_jolokia_access_control_enabled|bool
+      notify: restart Kafka Controller
+
+    - meta: flush_handlers
+
+    - name: Wait for Kafka Controller to restart with new policy
+      wait_for:
+        port: "{{ kafka_controller_jolokia_port }}"
+        host: "{{ inventory_hostname }}"
+        delay: 10
+        timeout: 300
+      when: kafka_controller_jolokia_access_control_enabled|bool
+
 - name: Wait for migration to complete
   hosts: kafka_controller
   tags: migrate_to_dual_write
@@ -162,6 +265,42 @@
       register: jolokia_output
       when: jolokia_auth_mode == "basic"
 
+- name: Restore Original Jolokia Policy
+  hosts: kafka_controller
+  gather_facts: false
+  tasks:
+    - import_role:
+        name: variables
+
+    - name: Restore Original Jolokia Access Control XML
+      copy:
+        src: "{{ kafka_controller_jolokia_access_control_dest_path }}.backup"
+        dest: "{{ kafka_controller_jolokia_access_control_dest_path }}"
+        remote_src: true
+        mode: '640'
+        owner: "{{ kafka_controller_user }}"
+        group: "{{ kafka_controller_group }}"
+      when:
+        - kafka_controller_jolokia_access_control_enabled|bool
+      failed_when: false
+      notify: restart Kafka Controller
+
+    - name: Remove Backup File
+      file:
+        path: "{{ kafka_controller_jolokia_access_control_dest_path }}.backup"
+        state: absent
+      when: kafka_controller_jolokia_access_control_enabled|bool
+
+    - meta: flush_handlers
+
+    - name: Wait for Kafka Controller to restart with restored policy
+      wait_for:
+        port: "{{ kafka_controller_jolokia_port }}"
+        host: "{{ inventory_hostname }}"
+        delay: 10
+        timeout: 300
+      when: kafka_controller_jolokia_access_control_enabled|bool
+
 - name: Finish Migration
   hosts: kafka_controller
   tags: migrate_to_kraft

roles/common/tasks/config_validations.yml

@@ -334,3 +334,80 @@
       - not (control_center_next_gen_dependency_alertmanager_ssl_enabled | bool and control_center_next_gen_dependency_alertmanager_mtls_enabled | bool and control_center_next_gen_dependency_alertmanager_basic_auth_enabled | bool)
     fail_msg: "Alertmanager SSL, mTLS, and Basic Auth cannot all be enabled simultaneously."
   tags: validate
+
+# Jolokia Access Control Validations
+- name: Validate Jolokia Access Control Configuration - Kafka Controller
+  fail:
+    msg: |
+      Security requirement: When Jolokia is enabled and access control is enabled,
+      you must set kafka_controller_jolokia_access_control_custom_file_enabled to either:
+      - true (provide your own secure XML file via kafka_controller_jolokia_access_control_file_src_path)
+      - false (use our secure default XML)
+
+      This prevents lateral movement attacks via exposed Jolokia endpoints.
+  when:
+    - "'kafka_controller' in group_names"
+    - kafka_controller_jolokia_enabled|bool
+    - kafka_controller_jolokia_access_control_enabled|bool
+    - kafka_controller_jolokia_access_control_custom_file_enabled is not defined or kafka_controller_jolokia_access_control_custom_file_enabled is none
+  tags:
+    - validate
+    - validate_jolokia
+
+- name: Validate Custom Jolokia Access Control File Path - Kafka Controller
+  fail:
+    msg: |
+      When kafka_controller_jolokia_access_control_custom_file_enabled is true,
+      you must provide kafka_controller_jolokia_access_control_file_src_path with a valid file path.
+  when:
+    - "'kafka_controller' in group_names"
+    - kafka_controller_jolokia_enabled|bool
+    - kafka_controller_jolokia_access_control_enabled|bool
+    - kafka_controller_jolokia_access_control_custom_file_enabled|bool
+    - kafka_controller_jolokia_access_control_file_src_path == ""
+  tags:
+    - validate
+    - validate_jolokia
+
+- name: Validate Custom Jolokia Access Control File Exists - Kafka Controller
+  stat:
+    path: "{{ kafka_controller_jolokia_access_control_file_src_path }}"
+  delegate_to: localhost
+  register: kafka_controller_custom_jolokia_file_check
+  when:
+    - "'kafka_controller' in group_names"
+    - kafka_controller_jolokia_enabled|bool
+    - kafka_controller_jolokia_access_control_enabled|bool
+    - kafka_controller_jolokia_access_control_custom_file_enabled|bool
+    - kafka_controller_jolokia_access_control_file_src_path != ""
+  tags:
+    - validate
+    - validate_jolokia
+
+- name: Fail if Custom Jolokia Access Control File Does Not Exist - Kafka Controller
+  fail:
+    msg: |
+      Custom Jolokia access control file not found at: {{ kafka_controller_jolokia_access_control_file_src_path }}
+      Please ensure the file exists on the Ansible controller.
+  when:
+    - "'kafka_controller' in group_names"
+    - kafka_controller_jolokia_enabled|bool
+    - kafka_controller_jolokia_access_control_enabled|bool
+    - kafka_controller_jolokia_access_control_custom_file_enabled|bool
+    - kafka_controller_jolokia_access_control_file_src_path != ""
+    - not kafka_controller_custom_jolokia_file_check.stat.exists
+  tags:
+    - validate
+    - validate_jolokia
+
+- name: Set Default Jolokia Access Control File Path - Kafka Controller
+  set_fact:
+    kafka_controller_jolokia_access_control_file_src_path: "roles/kafka_controller/templates/jolokia_access_control_default.xml"
+  when:
+    - "'kafka_controller' in group_names"
+    - kafka_controller_jolokia_enabled|bool
+    - kafka_controller_jolokia_access_control_enabled|bool
+    - not kafka_controller_jolokia_access_control_custom_file_enabled|bool
+  tags:
+    - validate
+    - validate_jolokia

roles/kafka_controller/templates/jolokia_access_control_default.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Default Jolokia Access Control Policy
+  This policy allows access only to the endpoint required for "Wait for Metadata Migration" task
+  and should be replaced with a more restrictive policy after migration completes
+-->
+<restrict>
+  <!-- Allow access to migration state endpoint - Required for "Wait for Metadata Migration" task -->
+  <mbean>
+    <n>kafka.controller:type=KafkaController,name=ZkMigrationState</n>
+    <operation>read</operation>
+  </mbean>
+
+  <!-- Allow jolokia read operations -->
+  <command>read</command>
+
+  <!-- Default deny for everything else -->
+  <default>deny</default>
+</restrict>

roles/kafka_controller/templates/kafka_jolokia.properties.j2

@@ -12,3 +12,6 @@ authMode=basic
 user={{kafka_controller_jolokia_user}}
 password={{kafka_controller_jolokia_password}}
 {% endif %}
+{% if kafka_controller_jolokia_access_control_enabled|bool %}
+policy={{ lookup('file', kafka_controller_jolokia_access_control_file_src_path) | replace('\n', '') | replace(' ', '') }}
+{% endif %}

roles/variables/defaults/main.yml

@@ -54,6 +54,15 @@ jolokia_user: admin
 ### Password for Jolokia Agent when using Basic Auth
 jolokia_password: password
 
+### Boolean to enable Jolokia Access Control for security. Defaults to same as jolokia_enabled
+jolokia_access_control_enabled: "{{ jolokia_enabled }}"
+
+### Boolean to use custom Jolokia access control file. Must be set to true or false when Jolokia access control is enabled. Set to null to enforce explicit choice.
+jolokia_access_control_custom_file_enabled: null
+
+### Full path on Ansible Controller to custom Jolokia access control XML file. Required when jolokia_access_control_custom_file_enabled is true
+jolokia_access_control_file_src_path: ""
+
 ### To copy from Ansible control host or download
 jmxexporter_url_remote: true
 
@@ -549,6 +558,17 @@ kafka_controller_jolokia_user: "{{jolokia_user}}"
 ### Password for Kafka's Jolokia Agent when using Basic Auth
 kafka_controller_jolokia_password: "{{jolokia_password}}"
 
+### Boolean to enable Jolokia Access Control for Kafka Controller. Inherits from global setting
+kafka_controller_jolokia_access_control_enabled: "{{ jolokia_access_control_enabled }}"
+
+### Boolean to use custom Jolokia access control file for Kafka Controller. Inherits from global setting
+kafka_controller_jolokia_access_control_custom_file_enabled: "{{ jolokia_access_control_custom_file_enabled }}"
+
+### Full path on Ansible Controller to custom Jolokia access control XML file for Kafka Controller. Inherits from global setting
+kafka_controller_jolokia_access_control_file_src_path: "{{ jolokia_access_control_file_src_path }}"
+
+
+
 # TODO move these to vars, should not be customizable, do they even belong w the shared vars
 kafka_controller_jolokia_java_arg_ssl_addon: ",keystore={{kafka_controller_keystore_path}},keystorePassword={{kafka_controller_keystore_storepass}},protocol=https"
 kafka_controller_jolokia_urp_url: "{{ 'https' if kafka_controller_jolokia_ssl_enabled|bool else 'http' }}://{{ hostvars[inventory_hostname]|confluent.platform.resolve_and_format_hostname}}:{{kafka_controller_jolokia_port}}/jolokia/read/kafka.server:type=ReplicaManager,name=UnderReplicatedPartitions"