Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

To support extensibility for SASL/OAuth as described in KIP-255 , I have added an extra config sasl.login.callback.handler.class. This implements the same interface as the other callback handlers. Default behaviour will be u

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Hi all, To simplify dynamic update of SASL configs in future (e.g add a new SASL mechanism with a new callback handler or Login), I have separated out the broker-side configs with a mechanism prefix in the property name (similar to listener prefix) instead of including all the classes together as

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Hi all, I have made some updates to this KIP to simplify addition of new SASL mechanisms: 1. The Login interface has been made configurable as well (we have had this interface for quite some time and it has been stable). 2. The callback handler properties for client-side and server-side

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

If there are no other concerns or suggestions on this KIP, I will start vote later this week. Thank you... Regards, Rajini On Thu, Mar 30, 2017 at 9:42 PM, Rajini Sivaram wrote: > I have made a minor change to the callback handler interface to pass in > the JAAS configuration entries in *conf

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

I have made a minor change to the callback handler interface to pass in the JAAS configuration entries in *configure,* to work with the multiple listener configuration introduced in KIP-103. I have also renamed the interface to AuthenticateCallbackHandler instead of AuthCallbackHandler to avoid con

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Ismael, The reason for choosing CallbackHandler interface as the configurable interface is flexibility. As you say, we could instead define a simpler PlainCredentialProvider and ScramCredentialProvider. But that would tie users to Kafka's SaslServer implementation for PLAIN and SCRAM. SaslServer/S

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Thanks Rajini, your answers make sense to me. One more general point: we are following the JAAS callback architecture and exposing that to the user where the user has to write code like: @Override public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Ismael, 1. At the moment AuthCallbackHandler is not a public interface, so I am assuming that it can be modified. Yes, agree that we should keep non-public methods separate. Will do that as part of the implementation of this KIP. 2. Callback handlers do tend to depend on ordering, including those

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Thanks Rajini, that helps. A few comments: 1. The `AuthCallbackHandler` interface already exists and we are making breaking changes (removing a parameter from `configure` and adding additional methods). Is the reasoning that it was not a public interface before? It would be good to clearly separat

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Have added sample callback handlers for PLAIN and SCRAM. On Tue, Dec 13, 2016 at 4:10 PM, Rajini Sivaram < rajinisiva...@googlemail.com> wrote: > Ismael, > > Thank you for the review. I will add an example. > > On Tue, Dec 13, 2016 at 1:07 PM, Ismael Juma wrote: > >> Hi Rajini, >> >> Thanks for

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Ismael, Thank you for the review. I will add an example. On Tue, Dec 13, 2016 at 1:07 PM, Ismael Juma wrote: > Hi Rajini, > > Thanks for the KIP. I think this is useful and users have asked for > something like that. I like that you have a scenarios section, do you think > you could provide a r

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Hi Rajini, Thanks for the KIP. I think this is useful and users have asked for something like that. I like that you have a scenarios section, do you think you could provide a rough sketch of what a callback handler would look like for the first 2 scenarios? They seem to be the common ones, so it w

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Hi, Rajini, Thanks for the explanation. So AccessController.getContext() returns the context specific to the calling thread. Then, this should work. Jun On Thu, Oct 27, 2016 at 2:32 AM, Rajini Sivaram < rajinisiva...@googlemail.com> wrote: > Hi Jun, > > We will be using the AccessControlContext

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Hi Jun, We will be using the AccessControlContext corresponding to the current calling context (i.e. on the current thread). So concurrent Subject.doAs() in other threads will not have any impact. On the current thread, we are using the Subject corresponding to the latest Subject.doAs(). This is s

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Hi, Rajini, The javadoc of Subject.getSubjectAccessControlContext acc) says the following. So, are we depending on the correct ordering to get the right subject? Is there any issue if two Subject.doAs() are called

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Hi Jun, The main processing method in the callback handler is "handle(Callback[] callbacks)". This method is invoked by SaslClient either when the SaslClient is constructed or when Kafka's SASL authentication code invokes saslClient.evaluateChallenge(). These are always done under Subject.doAs() -

Re: [DISCUSS] KIP-86: Configurable SASL callback handlers

Hi, Rajini, Thanks for the proposal. One quick question. The KIP says "SaslClientCallbackHandler will be modified to obtain Subject using *Subject.getSubject(AccessController.getContext())* to avoid the current per-connection state." Since subject is going to be different for different connection

[DISCUSS] KIP-86: Configurable SASL callback handlers

Hi all, I have just created KIP-86 make callback handlers in SASL configurable so that credential providers for SASL/PLAIN (and SASL/SCRAM when it is implemented) can be used with custom credential callbacks: https://cwiki.apache.org/confluence/display/KAFKA/KIP-86%3A+Configurable+SASL+callback+h