You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Rajini Sivaram (JIRA)" <ji...@apache.org> on 2018/02/07 16:43:00 UTC

[jira] [Resolved] (KAFKA-6532) Delegation token internals should not impact public interfaces

     [ https://issues.apache.org/jira/browse/KAFKA-6532?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rajini Sivaram resolved KAFKA-6532.
-----------------------------------
       Resolution: Fixed
    Fix Version/s: 1.1.0

> Delegation token internals should not impact public interfaces
> --------------------------------------------------------------
>
>                 Key: KAFKA-6532
>                 URL: https://issues.apache.org/jira/browse/KAFKA-6532
>             Project: Kafka
>          Issue Type: Bug
>          Components: core
>            Reporter: Rajini Sivaram
>            Assignee: Rajini Sivaram
>            Priority: Major
>             Fix For: 1.1.0
>
>
> We need to make sure that code related to the internal delegation tokens implementation doesn't have any impact on public interfaces, including customizable callback handlers from KIP-86.
>  # KafkaPrincipal has a public _tokenAuthenticated()_ method. Principal builders are configurable and we now expect custom principal builders to set this value. Since we allow the same endpoint to be used for basic SCRAM and delegation tokens, the configured principal builder needs a way of detecting token authentication. Default principal builder does this using internal SCRAM implementation code. It will be better if configurable principal builders didn't have to set this flag at all.
>  # It will be better to replace _o.a.k.c.security.scram.DelegationTokenAuthenticationCallback_ with a more generic _ScramExtensionsCallback_. This will allow us to add more extensions in future and it will also enable custom Scram extensions.
>  # _ScramCredentialCallback_ was extended to add _tokenOwner_ and mechanism. Mechanism is determined during SASL handshake and shouldn't be configurable in a callback handler. _ScramCredentialCallback_ is being made a public interface in KIP-86 with configurable callback handlers. Since delegation token implementation is internal and not extensible, _tokenOwner_ should be in a delegation-token-specific callback.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)