Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Wed, 26 Oct 2016 05:25:39 -0700 

Hi Jun,

The main processing method in the callback handler is "handle(Callback[]
callbacks)". This method is invoked by SaslClient either when the SaslClient
is constructed or when Kafka's SASL authentication code invokes
saslClient.evaluateChallenge(). These are always done under Subject.doAs() -
this is already the case in Kafka. Hence handle() method of the shared
callback handler can get Subject from the calling context and this Subject
corresponds to the client connection for which callback is being requested.

*Current per-connection SaslClientCallbackHandler:*


    private Subject subject;

    @Override

    public void configure(Map<String, ?> configs, Mode mode, Subject
subject, String mechanism) {

        this.isKerberos = mechanism.equals(SaslConfigs.GSSAPI_MECHANISM);

        this.subject = subject;

    }

    @Override

    public void handle(Callback[] callbacks) throws
UnsupportedCallbackException {

        // Uses this.subject

        ....

    }


*Proposed shared **SaslClientCallbackHandler**:*

    @Override

    public void configure(Map<String, ?> configs, String saslMechanism) {

    }

    @Override

    public void handle(Callback[] callbacks) throws
UnsupportedCallbackException {

        Subject subject = Subject.getSubject(AccessController.getContext());

        ....

    }




On Wed, Oct 26, 2016 at 2:58 AM, Jun Rao <j...@confluent.io> wrote:

> Hi, Rajini,
>
> Thanks for the proposal.
>
> One quick question. The KIP says "SaslClientCallbackHandler will be
> modified to obtain Subject using
> *Subject.getSubject(AccessController.getContext())* to avoid the current
> per-connection state." Since subject is going to be different for different
> connections, how do we get the connection specific subject if there is only
> a single instance of the callback handler? The modification seems to call
> only some static methods.
>
> Jun
>
>
>
> On Tue, Oct 11, 2016 at 7:28 AM, Rajini Sivaram <
> rajinisiva...@googlemail.com> wrote:
>
> > Hi all,
> >
> > I have just created KIP-86 make callback handlers in SASL configurable so
> > that credential providers for SASL/PLAIN (and SASL/SCRAM when it is
> > implemented) can be used with custom credential callbacks:
> >
> > https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> > 86%3A+Configurable+SASL+callback+handlers
> >
> > Comments and suggestions are welcome.
> >
> > Thank you...
> >
> >
> > Regards,
> >
> > Rajini
> >
>



-- 
Regards,

Rajini

Reply via email to