Hello Kafka Dev,
I realize that this question might be more SASL than Kafka related, but
after endless Googling and code browsing, I'm not understanding a few
things. I've looked at all of the code for SASL/PLAIN and SASL/OAUTHBEARER
but when attempting to implement my own custom SASL mechanism, there are
gaps in my understanding and I'm really trying to make sure I
understand things before just copying/pasting/refactoring and hoping for
the best.
Does someone have a little time to explain the execution path for
SASL/PLAIN so that I can eventually implement my own custom mechanism?
Here are a few questions I had after spending a good bit of time trying to
figure this out on my own:
1. What runs where? (Where is the LoginModule run, where are the callbacks
ran, how are SaslClient/SaslServer used, ...)
2. A follow-up to #1 is that the SASL/PLAIN implementation doesn't seem to
have a custom SaslClient implementation but does have a custom SaslServer
implementation. Why isn't a SaslClient required for SASL/PLAIN?
3. Are callbacks required for anything more than pluggability? I ask
because for PlainLoginModule, JAAS states that the LoginModule should
perform authentication in login() but PlainLoginModule doesn't do anything
of the sort, just adding details to the Subject. SaslChannelBuilder wires
up a PlainServerCallbackHandler to do the real work but if pluggability
isn't required, couldn't login() do it?
I think that's it for now. Ultimately, I want to create my own SASL
mechanism that works in Kafka to do external authentication using more than
just username and password.
Take care,
Jeremy
