[
https://issues.apache.org/jira/browse/KAFKA-6004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16191694#comment-16191694
]
ASF GitHub Bot commented on KAFKA-6004:
---------------------------------------
Github user asfgit closed the pull request at:
https://github.com/apache/kafka/pull/4015
> Enable custom authentication plugins to return error messages to clients
> ------------------------------------------------------------------------
>
> Key: KAFKA-6004
> URL: https://issues.apache.org/jira/browse/KAFKA-6004
> Project: Kafka
> Issue Type: Improvement
> Components: security
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Priority: Blocker
> Fix For: 1.0.0
>
>
> KIP-152 enables authentication failures to be returned to clients to simplify
> diagnosis of security configuration issues. At the moment, a fixed message is
> returned to clients by SaslServerAuthenticator which says "Authentication
> failed due to invalid credentials with SASL mechanism $mechanism".
> We have added an error message string to SaslAuthenticateResponse to return
> custom messages from the broker to clients. Custom SASL server
> implementations may want to return more specific error messages in some
> cases. We should allow this by returning error messages from specific
> exceptions (e.g. org.apache.kafka.common.errors.SaslAuthenticationException)
> in SaslAuthenticateResponse. It would be better not to return the error
> message from SaslException since it may contain information that we do not
> want to leak to clients.
> We should do this for 1.0.0 to avoid compatibility issues later since third
> party implementors of SASL server may assume that SaslAuthenticationException
> is only logged on the server and not sent to clients, making it a security
> risk to update later.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
