Alex Popa created KAFKA-14870:
---------------------------------
Summary: KerberosLogin reLogin does not persist the login
CallbackHandler
Key: KAFKA-14870
URL: https://issues.apache.org/jira/browse/KAFKA-14870
Project: Kafka
Issue Type: Bug
Components: security
Reporter: Alex Popa
Hi,
There seems to be an inconsistency in the way the KerberosLogin handles
relogins.
Kafka supports injecting a custom CallbackHandler, that subclasses the
AuthenticateCallbackHandler.
[https://kafka.apache.org/20/javadoc/org/apache/kafka/common/security/auth/AuthenticateCallbackHandler.html]
On KerberosLogin#login(), the super.login() method is invoked -
[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java#L103]
- which in turn passes the custom callbackhandler to the LoginContext -
[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/authenticator/AbstractLogin.java#L59]
Now, on reLogin -
[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java#L372]
- the new LoginContext is instantiated with null as the CallbackHandler.
Steps to reproduce:
# Authenticate to Kafka using a custom CallbackHandler
# Have the app running for as long as the token TTL (24h?)
# Observe it fail on relogin
This looks like it should be patched ASAP on the main branch, but would also
appreciate a 2.4.X patch.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
