Hi Christian,
Kafka client connections are long-llving connections,
hence the authentication part comes up during connection establishment and
once we authenticate regular kafka protocols can be exchanged.
Doing heartbeat to keep the token alive in a Authorizer is not a good idea.
Authorizer' role is to tell if user A has permission on topic X etc.. not
to invalidate a user's session. Hence it won't propagate a exception into
LoginModule. What you trying to do seems similar to DelegationToken . Have
you checked this KIP
https://cwiki.apache.org/confluence/display/KAFKA/KIP-48+Delegation+token+support+for+Kafka
.
Thanks,
Harsha
On Sat, Feb 25, 2017 at 6:48 PM Christian <engr...@gmail.com> wrote:
> We have implemented our own LoginModule and Authorizer. The LoginModule
> does an authentication on the client side, obtains a token and passes that
> token down to our custom SaslServer which then verifies that this token is
> valid. Our Authorizer gets that token and asks another custom service if
> the necessary topic permissions are there. This is a very simplified
> description, but it should suffice for my question.
>
> I've found that the LoginModule only authenticates once and passes that
> token down once as well. Our service requires a heartbeat to keep the token
> alive. I would like the SaslService to call our authentication service
> every once in.a while and if the token ever times out (it times out after
> 24 hours; even with heartbeats, but heartbeats every so many minutes can
> extend the session to 24 hours), then I'd like it to respond back to the
> LoginModule with some sort of failed to authorize message or code.
>
> Once this gets passed to the Authorizer, we can extend the session by
> querying our internal Authentication/Authorization service. I was hoping,
> as.a fallback plan that the Authorizer could do this, by simply throwing an
> exception or failing the request when the authorization finally returns
> false (due to session timeout), but I don't see anywhere in the
> documentation where a certain kind of failure in the authorizer can bubble
> up to the authenticator and I don't see how I can configure the loginmodule
> to periodically redo authentication. Can anyone out there help me? Is the
> Kafka SASL implementation not meant for such a complicated scenario or am I
> just thinking about it all wrong?
>
> Thanks,
> Christian
>
