[
https://issues.apache.org/jira/browse/KAFKA-14870?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Popa reassigned KAFKA-14870:
---------------------------------
Assignee: Alex Popa
PR - [https://github.com/apache/kafka/pull/13478]
> KerberosLogin reLogin does not persist the login CallbackHandler
> ----------------------------------------------------------------
>
> Key: KAFKA-14870
> URL: https://issues.apache.org/jira/browse/KAFKA-14870
> Project: Kafka
> Issue Type: Bug
> Components: security
> Reporter: Alex Popa
> Assignee: Alex Popa
> Priority: Critical
>
> Hi,
> There seems to be an inconsistency in the way the KerberosLogin handles
> relogins.
> Kafka supports injecting a custom CallbackHandler, that subclasses the
> AuthenticateCallbackHandler.
> [https://kafka.apache.org/20/javadoc/org/apache/kafka/common/security/auth/AuthenticateCallbackHandler.html]
> On KerberosLogin#login(), the super.login() method is invoked -
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java#L103]
> - which in turn passes the custom callbackhandler to the LoginContext -
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/authenticator/AbstractLogin.java#L59]
> Now, on reLogin -
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java#L372]
> - the new LoginContext is instantiated with null as the CallbackHandler.
> Steps to reproduce:
> # Authenticate to Kafka using a custom CallbackHandler
> # Have the app running for as long as the token TTL (24h?)
> # Observe it fail on relogin
> This looks like it should be patched ASAP on the main branch, but would also
> appreciate a 2.4.X patch.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
