You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Alex Popa (Jira)" <ji...@apache.org> on 2023/03/29 17:10:00 UTC

[jira] [Created] (KAFKA-14870) KerberosLogin reLogin does not persist the login CallbackHandler

Alex Popa created KAFKA-14870:
---------------------------------

             Summary: KerberosLogin reLogin does not persist the login CallbackHandler
                 Key: KAFKA-14870
                 URL: https://issues.apache.org/jira/browse/KAFKA-14870
             Project: Kafka
          Issue Type: Bug
          Components: security
            Reporter: Alex Popa


Hi,

There seems to be an inconsistency in the way the KerberosLogin handles relogins.

Kafka supports injecting a custom CallbackHandler, that subclasses the AuthenticateCallbackHandler. [https://kafka.apache.org/20/javadoc/org/apache/kafka/common/security/auth/AuthenticateCallbackHandler.html]

On KerberosLogin#login(), the super.login() method is invoked - [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java#L103] - which in turn passes the custom callbackhandler to the LoginContext - [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/authenticator/AbstractLogin.java#L59]

Now, on reLogin - [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java#L372] - the new LoginContext is instantiated with null as the CallbackHandler.

Steps to reproduce:
 # Authenticate to Kafka using a custom CallbackHandler
 # Have the app running for as long as the token TTL (24h?)
 # Observe it fail on relogin

This looks like it should be patched ASAP on the main branch, but would also appreciate a 2.4.X patch.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)