You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by Sourav Biswas <so...@yahoo.com.INVALID> on 2023/02/04 20:28:33 UTC

[Possible bug] Failing to use multiple client for multiple cluster using SASL channel.

Hello Kafka Dev,
Issue:Say, I need to configure multiple client (consumer/producer) listening and publishing to different cluster inside same application (Same JVM). Both cluster uses 
- sasl.mechanism = GSSAPI- security.porotocol = SASL_PLAINTEXT

But, different 'sasl.kerberos.service.name'.

Now, considering above configuration, client will create a KafkaChannel using SaslChannelBuilder, which uses a LoginManager.https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L170
For this case, it should create multiple LoginManager for each cluster but it is creating only one. Because of this Authentication is failing for all cluster except one.

Reason:
A static Map of login managers is maintained, with key of LoginMetadata
       STATIC_INSTANCES.put(loginMetadata, loginManager);

- https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L109

- https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L113

LoginMetadata only considers following fields to maintains its uniqueness.
        final T configInfo; // "KafkaClient"; Same for all cluster
        final Class<? extends Login> loginClass; // Same for all clusester
        final Class<? extends AuthenticateCallbackHandler> loginCallbackClass; // Same for all cluster


Possible fix:Need to consider more fields ( sasl.kerberos.service.name/client.id/somethin-else) to maintain more granular uniqueness.

Note:If you feel it's a bug, then I can raise a PR if I get a jira. Please share your thoughts.
~ Sourav

Re: [Possible bug] Failing to use multiple client for multiple cluster using SASL channel.

Posted by Manikumar <ma...@gmail.com>.
Hi Sourav,

Can you check if https://github.com/apache/kafka/pull/13211 can help
to handle your scenario?.

Thanks

On Sun, Feb 5, 2023 at 6:23 AM Sourav Biswas
<so...@yahoo.com.invalid> wrote:
>
> Hello Kafka Dev,
> Issue:Say, I need to configure multiple client (consumer/producer) listening and publishing to different cluster inside same application (Same JVM). Both cluster uses
> - sasl.mechanism = GSSAPI- security.porotocol = SASL_PLAINTEXT
>
> But, different 'sasl.kerberos.service.name'.
>
> Now, considering above configuration, client will create a KafkaChannel using SaslChannelBuilder, which uses a LoginManager.https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L170
> For this case, it should create multiple LoginManager for each cluster but it is creating only one. Because of this Authentication is failing for all cluster except one.
>
> Reason:
> A static Map of login managers is maintained, with key of LoginMetadata
>        STATIC_INSTANCES.put(loginMetadata, loginManager);
>
> - https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L109
>
> - https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L113
>
> LoginMetadata only considers following fields to maintains its uniqueness.
>         final T configInfo; // "KafkaClient"; Same for all cluster
>         final Class<? extends Login> loginClass; // Same for all clusester
>         final Class<? extends AuthenticateCallbackHandler> loginCallbackClass; // Same for all cluster
>
>
> Possible fix:Need to consider more fields ( sasl.kerberos.service.name/client.id/somethin-else) to maintain more granular uniqueness.
>
> Note:If you feel it's a bug, then I can raise a PR if I get a jira. Please share your thoughts.
> ~ Sourav
>
>

Re: [Possible bug] Failing to use multiple client for multiple cluster using SASL channel.

Posted by Luke Chen <sh...@gmail.com>.
Hi Sourav,

Your JIRA account is all set.

Thank you.
Luke

On Wed, Feb 8, 2023 at 4:24 PM Sourav Biswas
<so...@yahoo.com.invalid> wrote:

> Hello Chen,
>
> Please use followings for jira account.
>
> Email: sourav_biswas20@yahoo.com
>
> User name: bsourav85
>
> Display Name: "Sourav Biswas" or "Sourav"
>
>
> ~ Thanks
>
> Sourav
>
>

Re: [Possible bug] Failing to use multiple client for multiple cluster using SASL channel.

Posted by Sourav Biswas <so...@yahoo.com.INVALID>.
Hello Chen,

Please use followings for jira account.

Email: sourav_biswas20@yahoo.com

User name: bsourav85

Display Name: "Sourav Biswas" or "Sourav"


~ Thanks

Sourav

Re: [Possible bug] Failing to use multiple client for multiple cluster using SASL channel.

Posted by Luke Chen <sh...@gmail.com>.
Hi Sourav,

To create a JIRA account, in addition to email address, we also need your
preferred username, display name.

Thank you.
Luke

On Wed, Feb 8, 2023 at 2:01 PM Sourav Biswas
<so...@yahoo.com.invalid> wrote:

> May I get a jira account
> Email id: sourav_biswas20@yahoo.com
>
>
>
>
>     On Sunday, 5 February, 2023 at 01:58:33 am IST, Sourav Biswas <
> sourav_biswas20@yahoo.com> wrote:
>
>  Hello Kafka Dev,
> Issue:Say, I need to configure multiple client (consumer/producer)
> listening and publishing to different cluster inside same application (Same
> JVM). Both cluster uses
> - sasl.mechanism = GSSAPI- security.porotocol = SASL_PLAINTEXT
>
> But, different 'sasl.kerberos.service.name'.
>
> Now, considering above configuration, client will create a KafkaChannel
> using SaslChannelBuilder, which uses a LoginManager.
> https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L170
> For this case, it should create multiple LoginManager for each cluster but
> it is creating only one. Because of this Authentication is failing for all
> cluster except one.
>
> Reason:
> A static Map of login managers is maintained, with key of LoginMetadata
>        STATIC_INSTANCES.put(loginMetadata, loginManager);
>
> -
> https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L109
>
> -
> https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L113
>
> LoginMetadata only considers following fields to maintains its uniqueness.
>         final T configInfo; // "KafkaClient"; Same for all cluster
>         final Class<? extends Login> loginClass; // Same for all clusester
>         final Class<? extends AuthenticateCallbackHandler>
> loginCallbackClass; // Same for all cluster
>
>
> Possible fix:Need to consider more fields (
> sasl.kerberos.service.name/client.id/somethin-else) to maintain more
> granular uniqueness.
>
> Note:If you feel it's a bug, then I can raise a PR if I get a jira. Please
> share your thoughts.
> ~ Sourav
>
>
>

Re: [Possible bug] Failing to use multiple client for multiple cluster using SASL channel.

Posted by Sourav Biswas <so...@yahoo.com.INVALID>.
May I get a jira account
Email id: sourav_biswas20@yahoo.com


 

    On Sunday, 5 February, 2023 at 01:58:33 am IST, Sourav Biswas <so...@yahoo.com> wrote:  
 
 Hello Kafka Dev,
Issue:Say, I need to configure multiple client (consumer/producer) listening and publishing to different cluster inside same application (Same JVM). Both cluster uses 
- sasl.mechanism = GSSAPI- security.porotocol = SASL_PLAINTEXT

But, different 'sasl.kerberos.service.name'.

Now, considering above configuration, client will create a KafkaChannel using SaslChannelBuilder, which uses a LoginManager.https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L170
For this case, it should create multiple LoginManager for each cluster but it is creating only one. Because of this Authentication is failing for all cluster except one.

Reason:
A static Map of login managers is maintained, with key of LoginMetadata
       STATIC_INSTANCES.put(loginMetadata, loginManager);

- https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L109

- https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L113

LoginMetadata only considers following fields to maintains its uniqueness.
        final T configInfo; // "KafkaClient"; Same for all cluster
        final Class<? extends Login> loginClass; // Same for all clusester
        final Class<? extends AuthenticateCallbackHandler> loginCallbackClass; // Same for all cluster


Possible fix:Need to consider more fields ( sasl.kerberos.service.name/client.id/somethin-else) to maintain more granular uniqueness.

Note:If you feel it's a bug, then I can raise a PR if I get a jira. Please share your thoughts.
~ Sourav