[jira] [Commented] (KAFKA-9241) SASL Clients are not forced to re-authenticate if they don't leverage SaslAuthenticateRequest

Wed, 04 Dec 2019 18:05:33 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-9241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988381#comment-16988381
 ] 

ASF GitHub Bot commented on KAFKA-9241:
---------------------------------------

rondagostino commented on pull request #7784: KAFKA-9241: Some SASL Clients not 
forced to re-authenticate
URL: https://github.com/apache/kafka/pull/7784
 
 
   Brokers are supposed to force SASL clients to re-authenticate (and kill
   such connections in the absence of a timely and successful
   re-authentication) when KIP-368 SASL Re-Authentication is enabled via
   a positive connections.max.reauth.ms configuration value. There was a
   flaw in the logic that caused connections to not be killed in the
   absence of a timely and successful re-authentication if the client did
   not leverage the SaslAuthenticateRequest API (which was defined in
   KIP-152).
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> SASL Clients are not forced to re-authenticate if they don't leverage 
> SaslAuthenticateRequest
> ---------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-9241
>                 URL: https://issues.apache.org/jira/browse/KAFKA-9241
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 2.2.0, 2.3.0, 2.2.1
>            Reporter: Ron Dagostino
>            Assignee: Ron Dagostino
>            Priority: Major
>              Labels: security, security-issue
>
> Brokers are supposed to force SASL clients to re-authenticate (and kill such 
> connections in the absence of a timely and successful re-authentication) when 
> SASL Re-Authentication 
> [(KIP-368)|https://cwiki.apache.org/confluence/display/KAFKA/KIP-368%3A+Allow+SASL+Connections+to+Periodically+Re-Authenticate]
>   is enabled via a positive `connections.max.reauth.ms` configuration value.  
> There is a flaw in the logic that causes connections to not be killed in the 
> absence of a timely and successful re-authentication _if the client does not 
> leverage the SaslAuthenticateRequest API_ (which was defined in 
> [KIP-152|https://cwiki.apache.org/confluence/display/KAFKA/KIP-152+-+Improve+diagnostics+for+SASL+authentication+failures]).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to