You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/10/03 13:20:00 UTC

[jira] [Commented] (KAFKA-7462) Kafka brokers cannot provide OAuth without a token

    [ https://issues.apache.org/jira/browse/KAFKA-7462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16636936#comment-16636936 ] 

ASF GitHub Bot commented on KAFKA-7462:
---------------------------------------

rajinisivaram opened a new pull request #5733: KAFKA-7462: Make token optional for OAuthBearerLoginModule
URL: https://github.com/apache/kafka/pull/5733
 
 
   OAuthBearerLoginModule is used both on the server-side and client-side (similar to login modules for other mechanisms). OAUTHBEARER tokens are client credentials used only on the client-side to authenticate with servers, but the current implementation requires tokens to be provided on the server-side even if OAUTHBEARER is not used for inter-broker communication. Tokens should be optional for server-side login context to allow brokers to be configured without a token when OAUTHBEARER is not used for inter-broker communication.
   
   ### Committer Checklist (excluded from commit message)
   - [ ] Verify design and implementation 
   - [ ] Verify test coverage and CI build status
   - [ ] Verify documentation (including upgrade notes)
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Kafka brokers cannot provide OAuth without a token
> --------------------------------------------------
>
>                 Key: KAFKA-7462
>                 URL: https://issues.apache.org/jira/browse/KAFKA-7462
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.0.0
>            Reporter: Rajini Sivaram
>            Assignee: Rajini Sivaram
>            Priority: Major
>             Fix For: 2.2.0
>
>
> Like with all other SASL mechanisms, OAUTHBEARER uses the same LoginModule class on both  server-side and the client-side. But unlike PLAIN or SCRAM where client credentials are optional, OAUTHBEARER requires always requires a token. So while with PLAIN/SCRAM, broker only needs to specify client credentials if the mechanism is used for inter-broker communication, with OAuth, broker requires client credentials even if OAuth is not used for inter-broker communication. This is an issue with the default `OAuthBearerUnsecuredLoginCallbackHandler` used on both client-side and server-side. But more critically, it is an issue with `OAuthBearerLoginModule` which doesn't commit if token == null (commit() returns false).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)