You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Rajini Sivaram (Jira)" <ji...@apache.org> on 2020/12/02 14:43:00 UTC
[jira] [Created] (KAFKA-10798) Failed authentication delay doesn't
work with some SASL authentication failures
Rajini Sivaram created KAFKA-10798:
--------------------------------------
Summary: Failed authentication delay doesn't work with some SASL authentication failures
Key: KAFKA-10798
URL: https://issues.apache.org/jira/browse/KAFKA-10798
Project: Kafka
Issue Type: Bug
Components: security
Reporter: Rajini Sivaram
Assignee: Rajini Sivaram
Fix For: 2.8.0
KIP-306 introduced the config `connection.failed.authentication.delay.ms` to delay connection closing on brokers for failed authentication to limit the rate of retried authentications from clients in order to avoid excessive authentication load on brokers from failed clients. We rely on authentication failure response to be delayed in this case to prevent clients from detecting the failure and retrying sooner.
SaslServerAuthenticator delays response for SaslAuthenticationException, but not for SaslException, even though SaslException is also converted into SaslAuthenticationException and processed as an authentication failure by both server and clients. As a result, connection delay is not applied in many scenarios like SCRAM authentication failures.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)