feat: extend Kerby KDC Testcontainers with support for multiple principals

- Added methods to configure additional principals and service principals in the `KerbyKdcContainer`.
- Enhanced E2E tests to validate service tickets and additional user authentication.
- Updated documentation to highlight new support for multiple principals and keytab handling.
- Introduced `log4j.properties` for improved logging during tests.

Author: CoderYellow

kerby-testcontainers/README.md

@@ -46,12 +46,24 @@ Use it from a test:
 try (KerbyKdcContainer kdc = new KerbyKdcContainer()
         .withRealm("EXAMPLE.COM")
         .withClientPrincipal("alice", "alice-secret")
-        .withServicePrincipal("HTTP/service.example.com")) {
+        .withServicePrincipal("HTTP/service.example.com")
+        .withServicePrincipals(
+            "HTTP/api.example.com@EXAMPLE.COM",
+            "hive/hiveserver2.example.com@EXAMPLE.COM",
+            "kafka/broker1.example.com@EXAMPLE.COM")
+        .withPrincipal("app_user@EXAMPLE.COM", "app-user-secret")) {
     kdc.start();
     String krb5Conf = kdc.getKrb5Conf();
 }
 ```
 
+`withServicePrincipals(...)` adds service principals and exports a keytab for
+each principal under `/var/lib/kerby/keytabs`. Use
+`copyServiceKeytabTo(principal, targetPath)` to copy one of those generated
+keytabs to the host test filesystem. Use
+`withAdditionalServicePrincipal(principal, keytabPath)` when a specific
+container-side keytab path is required.
+
 The container supports these environment variables:
 
 `KERBY_REALM`, `KERBY_KDC_HOST`, `KERBY_KDC_BIND_HOST`,

kerby-testcontainers/src/main/java/org/apache/kerby/testcontainers/KerbyKdcContainer.java

@@ -24,6 +24,8 @@
 
 import java.nio.file.Path;
 import java.time.Duration;
+import java.util.LinkedHashMap;
+import java.util.Map;
 
 /**
  * Testcontainers wrapper for the Kerby KDC Docker image.
@@ -36,13 +38,16 @@ public class KerbyKdcContainer extends GenericContainer<KerbyKdcContainer> {
     public static final String DEFAULT_CLIENT_PRINCIPAL = "client";
     public static final String DEFAULT_CLIENT_PASSWORD = "client";
     public static final String DEFAULT_SERVICE_PRINCIPAL = "HTTP/localhost";
+    public static final String DEFAULT_KEYTAB_DIR = "/var/lib/kerby/keytabs";
     public static final String DEFAULT_SERVICE_KEYTAB = "/var/lib/kerby/keytabs/service.keytab";
 
     private String realm = DEFAULT_REALM;
     private String clientPrincipal = DEFAULT_CLIENT_PRINCIPAL;
     private String clientPassword = DEFAULT_CLIENT_PASSWORD;
     private String servicePrincipal = DEFAULT_SERVICE_PRINCIPAL;
     private String serviceKeytab = DEFAULT_SERVICE_KEYTAB;
+    private final Map<String, String> extraPrincipals = new LinkedHashMap<>();
+    private final Map<String, String> extraServicePrincipals = new LinkedHashMap<>();
 
     public KerbyKdcContainer() {
         this(DEFAULT_IMAGE_NAME);
@@ -82,6 +87,33 @@ public KerbyKdcContainer withServicePrincipal(String principal, String keytabPat
         return applyConfiguration();
     }
 
+    public KerbyKdcContainer withPrincipal(String principal, String password) {
+        extraPrincipals.put(principal, password);
+        return applyConfiguration();
+    }
+
+    public KerbyKdcContainer withPrincipals(Map<String, String> principals) {
+        extraPrincipals.putAll(principals);
+        return applyConfiguration();
+    }
+
+    public KerbyKdcContainer withServicePrincipals(String... principals) {
+        for (String principal : principals) {
+            extraServicePrincipals.put(principal, null);
+        }
+        return applyConfiguration();
+    }
+
+    public KerbyKdcContainer withAdditionalServicePrincipal(String principal) {
+        extraServicePrincipals.put(principal, null);
+        return applyConfiguration();
+    }
+
+    public KerbyKdcContainer withAdditionalServicePrincipal(String principal, String keytabPath) {
+        extraServicePrincipals.put(principal, keytabPath);
+        return applyConfiguration();
+    }
+
     public KerbyKdcContainer withExtraPrincipals(String principals) {
         withEnv("KERBY_EXTRA_PRINCIPALS", principals);
         return this;
@@ -112,10 +144,22 @@ public String getServiceKeytab() {
         return serviceKeytab;
     }
 
+    public String getServiceKeytab(String principal) {
+        String keytab = extraServicePrincipals.get(principal);
+        if (keytab != null) {
+            return keytab;
+        }
+        return defaultKeytabPath(principal);
+    }
+
     public void copyServiceKeytabTo(Path target) {
         copyFileFromContainer(serviceKeytab, target.toAbsolutePath().toString());
     }
 
+    public void copyServiceKeytabTo(String principal, Path target) {
+        copyFileFromContainer(getServiceKeytab(principal), target.toAbsolutePath().toString());
+    }
+
     public String getKdcHost() {
         return getHost();
     }
@@ -145,6 +189,8 @@ private KerbyKdcContainer applyConfiguration() {
         withEnv("KERBY_CLIENT_PASSWORD", clientPassword);
         withEnv("KERBY_SERVICE_PRINCIPAL", servicePrincipal);
         withEnv("KERBY_SERVICE_KEYTAB", serviceKeytab);
+        withEnv("KERBY_EXTRA_PRINCIPALS", joinPasswordPrincipals());
+        withEnv("KERBY_EXTRA_SERVICE_PRINCIPALS", joinServicePrincipals());
         return this;
     }
 
@@ -154,4 +200,36 @@ private String qualifyPrincipal(String principal) {
         }
         return principal + "@" + realm;
     }
+
+    private String joinPasswordPrincipals() {
+        StringBuilder value = new StringBuilder();
+        for (Map.Entry<String, String> entry : extraPrincipals.entrySet()) {
+            appendSeparator(value);
+            value.append(entry.getKey()).append(':').append(entry.getValue());
+        }
+        return value.toString();
+    }
+
+    private String joinServicePrincipals() {
+        StringBuilder value = new StringBuilder();
+        for (Map.Entry<String, String> entry : extraServicePrincipals.entrySet()) {
+            appendSeparator(value);
+            value.append(entry.getKey());
+            if (entry.getValue() != null) {
+                value.append(':').append(entry.getValue());
+            }
+        }
+        return value.toString();
+    }
+
+    private void appendSeparator(StringBuilder value) {
+        if (value.length() > 0) {
+            value.append(',');
+        }
+    }
+
+    private String defaultKeytabPath(String principal) {
+        return DEFAULT_KEYTAB_DIR + "/" + qualifyPrincipal(principal)
+            .replace('/', '_').replace('@', '_') + ".keytab";
+    }
 }

kerby-testcontainers/src/test/java/org/apache/kerby/testcontainers/KerbyKdcContainerE2ETest.java

@@ -65,6 +65,11 @@ public class KerbyKdcContainerE2ETest {
     private static final String CLIENT = "alice";
     private static final String CLIENT_PASSWORD = "alice-secret";
     private static final String SERVICE = "HTTP/localhost";
+    private static final String API_SERVICE = "HTTP/api.example.com@EXAMPLE.COM";
+    private static final String HIVE_SERVICE = "hive/hiveserver2.example.com@EXAMPLE.COM";
+    private static final String KAFKA_SERVICE = "kafka/broker1.example.com@EXAMPLE.COM";
+    private static final String APP_USER = "app_user@EXAMPLE.COM";
+    private static final String APP_USER_PASSWORD = "app-user-secret";
     private static final String MESSAGE = "kerby-testcontainers-e2e";
 
     @TempDir
@@ -90,21 +95,31 @@ public void clientObtainsServiceTicketAndAuthenticatesToService() throws Excepti
         try (KerbyKdcContainer kdc = new KerbyKdcContainer(imageName)
                 .withRealm("EXAMPLE.COM")
                 .withClientPrincipal(CLIENT, CLIENT_PASSWORD)
-                .withServicePrincipal(SERVICE)) {
+                .withServicePrincipal(SERVICE)
+                .withServicePrincipals(API_SERVICE, HIVE_SERVICE, KAFKA_SERVICE)
+                .withPrincipal(APP_USER, APP_USER_PASSWORD)) {
             kdc.start();
 
             configureJavaKerberos(kdc);
 
             Path serviceKeytab = testDir.resolve("service.keytab");
+            Path hiveKeytab = testDir.resolve("hive.keytab");
             Path ticketCache = testDir.resolve("alice.ccache");
             kdc.copyServiceKeytabTo(serviceKeytab);
+            kdc.copyServiceKeytabTo(HIVE_SERVICE, hiveKeytab);
 
             KrbClient client = createKerbyClient(kdc);
             TgtTicket tgt = client.requestTgt(kdc.getClientPrincipal(), kdc.getClientPassword());
             assertThat(tgt).isNotNull();
 
             SgtTicket sgt = client.requestSgt(tgt, kdc.getServicePrincipal());
             assertThat(sgt).isNotNull();
+            assertServiceTicket(client, tgt, API_SERVICE);
+            assertServiceTicket(client, tgt, HIVE_SERVICE);
+            assertServiceTicket(client, tgt, KAFKA_SERVICE);
+
+            TgtTicket appUserTgt = client.requestTgt(APP_USER, APP_USER_PASSWORD);
+            assertThat(appUserTgt).isNotNull();
 
             client.storeTicket(tgt, ticketCache.toFile());
 
@@ -116,6 +131,12 @@ public void clientObtainsServiceTicketAndAuthenticatesToService() throws Excepti
         }
     }
 
+    private void assertServiceTicket(KrbClient client, TgtTicket tgt, String servicePrincipal)
+            throws Exception {
+        SgtTicket sgt = client.requestSgt(tgt, servicePrincipal);
+        assertThat(sgt).isNotNull();
+    }
+
     private void assumeDockerAvailable() {
         try {
             DockerClientFactory.instance().client();

kerby-testcontainers/src/test/resources/log4j.properties

@@ -0,0 +1,8 @@
+log4j.rootLogger=INFO, console
+log4j.appender.console=org.apache.log4j.ConsoleAppender
+log4j.appender.console.Target=System.err
+log4j.appender.console.layout=org.apache.log4j.PatternLayout
+log4j.appender.console.layout.ConversionPattern=%d{HH:mm:ss.SSS} %-5p [%t] %c - %m%n
+
+log4j.logger.org.testcontainers=INFO
+log4j.logger.com.github.dockerjava=WARN