[
https://issues.apache.org/jira/browse/KAFKA-4764?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajini Sivaram updated KAFKA-4764:
----------------------------------
Description:
At the moment, broker closes the client connection if SASL authentication
fails. Clients see this as a connection failure and do not get any feedback for
the reason why the connection was closed. Producers and consumers retry,
attempting to create successful connections, treating authentication failures
as transient failures. There are no log entries on the client-side which
indicate that any of these connection failures were due to authentication
failure.
This JIRA will aim to improve diagnosis of authentication failures with the
changes described in
This JIRA also does not change handling of SSL authentication failures.
javax.net.debug provides sufficient diagnostics for this case, I don't believe
there is sufficient information in `SslTransportLayer` to treat these in a
consistent way with SASL authentication failures.
was:
At the moment, broker closes the client connection if SASL authentication
fails. Clients see this as a connection failure and do not get any feedback for
the reason why the connection was closed. Producers and consumers retry,
attempting to create successful connections, treating authentication failures
as transient failures. There are no log entries on the client-side which
indicate that any of these connection failures were due to authentication
failure.
This JIRA will aim to improve diagnosis of authentication failures with the
following changes:
- Broker will send an authentication error code if SASL authentication fails,
just before closing the connection. This will be treated as an invalid token by
the client authenticator, and the error handling for invalid tokens will be
updated to report authentication failure for this case. This is a bit of a
hack, but would work with GSSAPI, PLAIN and SCRAM. SASL itself doesn't provide
a mechanism-independent way of reporting authentication failures. An
alternative would be to wrap SASL authentication in Kafka request/response to
enables error codes to be sent as Kafka response, but that would be a much
bigger change.
- Log a warning in clients for authentication failures, distinguishing these
from EOF exceptions due to connection failure
- Blackout nodes to which connection failed due to authentication error, no
more attempts will be made to connect to these nodes.
- We should use the connection state to improve handling of producer/consumer
requests, avoiding unnecessary blocking. This will not be addressed in this
JIRA, KAFKA-3899 should be able to use the additional state from JIRA to fix
this issue.
This JIRA also does not change handling of SSL authentication failures.
javax.net.debug provides sufficient diagnostics for this case, I don't believe
there is sufficient information in `SslTransportLayer` to treat these in a
consistent way with SASL authentication failures.
> Improve diagnostics for SASL authentication failures
> ----------------------------------------------------
>
> Key: KAFKA-4764
> URL: https://issues.apache.org/jira/browse/KAFKA-4764
> Project: Kafka
> Issue Type: Improvement
> Components: security
> Affects Versions: 0.10.2.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Fix For: 1.0.0
>
>
> At the moment, broker closes the client connection if SASL authentication
> fails. Clients see this as a connection failure and do not get any feedback
> for the reason why the connection was closed. Producers and consumers retry,
> attempting to create successful connections, treating authentication failures
> as transient failures. There are no log entries on the client-side which
> indicate that any of these connection failures were due to authentication
> failure.
> This JIRA will aim to improve diagnosis of authentication failures with the
> changes described in
> This JIRA also does not change handling of SSL authentication failures.
> javax.net.debug provides sufficient diagnostics for this case, I don't
> believe there is sufficient information in `SslTransportLayer` to treat these
> in a consistent way with SASL authentication failures.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
