You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Rajini Sivaram (Jira)" <ji...@apache.org> on 2020/12/02 14:43:00 UTC

[jira] [Created] (KAFKA-10798) Failed authentication delay doesn't work with some SASL authentication failures

Rajini Sivaram created KAFKA-10798:
--------------------------------------

             Summary: Failed authentication delay doesn't work with some SASL authentication failures
                 Key: KAFKA-10798
                 URL: https://issues.apache.org/jira/browse/KAFKA-10798
             Project: Kafka
          Issue Type: Bug
          Components: security
            Reporter: Rajini Sivaram
            Assignee: Rajini Sivaram
             Fix For: 2.8.0


KIP-306 introduced the config `connection.failed.authentication.delay.ms` to delay connection closing on brokers for failed authentication to limit the rate of retried authentications from clients in order to avoid excessive authentication load on brokers from failed clients. We rely on authentication failure response to be delayed in this case to prevent clients from detecting the failure and retrying sooner.

SaslServerAuthenticator delays response for SaslAuthenticationException, but not for SaslException, even though SaslException is also converted into SaslAuthenticationException and processed as an authentication failure by both server and clients. As a result, connection delay is not applied in many scenarios like SCRAM authentication failures.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)