C0urante opened a new pull request #9806: URL: https://github.com/apache/kafka/pull/9806
[Jira](https://issues.apache.org/jira/browse/KAFKA-10895) # Problem If a connector, converter, etc. invokes [Configuration::setConfiguration](https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html#setConfiguration-javax.security.auth.login.Configuration-), it will cause the Connect basic auth filter to use that JAAS config instead of the one configured at startup with the `-Djava.security.auth.login.config` JVM property. This can cause requests to the worker to succeed initially but start to be rejected after the JVM's global JAAS config is altered. # Solution Cache the JVM's global JAAS configuration as soon as possible (in this case, as soon as the `BasicAuthSecurityRestExtension` class is loaded), and use that for all future authentication. It's still possible that a different JAAS config than the one that the JVM was configured to use on startup will be captured at this point, but the chances of that should be very slim since it would require a plugin class to install a new global JAAS config as soon as it was loaded. Even if that does happen, this should at the very least guarantee consistent behavior on the worker--any request that succeeds once will always succeed, as opposed to the current situation where requests can succeed for a little bit but then start to get inexplicably rejected after a little while when a plugin class chooses to install a new global JAAS config. # Testing Existing tests for the JAAS basic auth filter are modified to work with the new internal logic. The `testEmptyCredentialsFile` test is corrected to actually operate on an empty credentials file (instead of a non-existent credentials file, which it currently operates on). A new test is added to ensure that, even if the global JAAS config is overwritten, the basic auth filter will use the first one it could find. ### Committer Checklist (excluded from commit message) - [ ] Verify design and implementation - [ ] Verify test coverage and CI build status - [ ] Verify documentation (including upgrade notes) ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
