You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Alex Popa (Jira)" <ji...@apache.org> on 2023/03/29 17:10:00 UTC
[jira] [Created] (KAFKA-14870) KerberosLogin reLogin does not persist the login CallbackHandler
Alex Popa created KAFKA-14870:
---------------------------------
Summary: KerberosLogin reLogin does not persist the login CallbackHandler
Key: KAFKA-14870
URL: https://issues.apache.org/jira/browse/KAFKA-14870
Project: Kafka
Issue Type: Bug
Components: security
Reporter: Alex Popa
Hi,
There seems to be an inconsistency in the way the KerberosLogin handles relogins.
Kafka supports injecting a custom CallbackHandler, that subclasses the AuthenticateCallbackHandler. [https://kafka.apache.org/20/javadoc/org/apache/kafka/common/security/auth/AuthenticateCallbackHandler.html]
On KerberosLogin#login(), the super.login() method is invoked - [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java#L103] - which in turn passes the custom callbackhandler to the LoginContext - [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/authenticator/AbstractLogin.java#L59]
Now, on reLogin - [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java#L372] - the new LoginContext is instantiated with null as the CallbackHandler.
Steps to reproduce:
# Authenticate to Kafka using a custom CallbackHandler
# Have the app running for as long as the token TTL (24h?)
# Observe it fail on relogin
This looks like it should be patched ASAP on the main branch, but would also appreciate a 2.4.X patch.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)