[
https://issues.apache.org/jira/browse/KAFKA-9241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajini Sivaram resolved KAFKA-9241.
-----------------------------------
Fix Version/s: 2.5.0
Reviewer: Rajini Sivaram
Resolution: Fixed
> SASL Clients are not forced to re-authenticate if they don't leverage
> SaslAuthenticateRequest
> ---------------------------------------------------------------------------------------------
>
> Key: KAFKA-9241
> URL: https://issues.apache.org/jira/browse/KAFKA-9241
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 2.2.0, 2.3.0, 2.2.1
> Reporter: Ron Dagostino
> Assignee: Ron Dagostino
> Priority: Major
> Labels: security, security-issue
> Fix For: 2.5.0
>
>
> Brokers are supposed to force SASL clients to re-authenticate (and kill such
> connections in the absence of a timely and successful re-authentication) when
> SASL Re-Authentication
> [(KIP-368)|https://cwiki.apache.org/confluence/display/KAFKA/KIP-368%3A+Allow+SASL+Connections+to+Periodically+Re-Authenticate]
> is enabled via a positive `connections.max.reauth.ms` configuration value.
> There is a flaw in the logic that causes connections to not be killed in the
> absence of a timely and successful re-authentication _if the client does not
> leverage the SaslAuthenticateRequest API_ (which was defined in
> [KIP-152|https://cwiki.apache.org/confluence/display/KAFKA/KIP-152+-+Improve+diagnostics+for+SASL+authentication+failures]).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
