You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by Mickael Maison <mi...@gmail.com> on 2016/09/05 10:13:26 UTC

SASL session expiry

Hi,

While Kerberos has a mechanism to refresh its tickets, SASL PLAIN has
no such feature. This means if a client is connected, as far as I can
tell, we have currently no way of disconnecting him, revoking his
credentials won't help.

I think it would be useful to have a way to force clients to refresh
their SASL session periodically and disconnect them if their
credentials have expired.


What do you think ?

Re: SASL session expiry

Posted by Mickael Maison <mi...@gmail.com>.

Indeed

On Mon, Sep 5, 2016 at 5:43 PM, Ismael Juma <is...@juma.me.uk> wrote:
> On Mon, Sep 5, 2016 at 3:48 PM, Mickael Maison <mi...@gmail.com>
> wrote:
>
>> Yes in our case, I can see how we would add the functionality, but I
>> was wondering if people might be interested to directly have such a
>> feature in Kafka. At the moment, the authorization logic is only
>> invoked for new SASL (and apparently Kerberos) connections.
>
>
> I think you mean authentication logic above.
>
> Ismael

Re: SASL session expiry

Posted by Ismael Juma <is...@juma.me.uk>.

On Mon, Sep 5, 2016 at 3:48 PM, Mickael Maison <mi...@gmail.com>
wrote:

> Yes in our case, I can see how we would add the functionality, but I
> was wondering if people might be interested to directly have such a
> feature in Kafka. At the moment, the authorization logic is only
> invoked for new SASL (and apparently Kerberos) connections.


I think you mean authentication logic above.

Ismael

Re: SASL session expiry

Posted by Mickael Maison <mi...@gmail.com>.

Hi Rajini,

Yes in our case, I can see how we would add the functionality, but I
was wondering if people might be interested to directly have such a
feature in Kafka. At the moment, the authorization logic is only
invoked for new SASL (and apparently Kerberos) connections. I feel
like having the options to periodically recheck credentials for active
connections would be beneficial.

On Mon, Sep 5, 2016 at 1:22 PM, Ismael Juma <is...@juma.me.uk> wrote:
> Hi Rajini,
>
> It's a good question and it depends on a number of details. For example,
> for short-lived certificates with long-lived connections, it would seem
> that one would have to duplicate some logic performed by the TLS stack on
> the Authorizer, which is not ideal. For the case where the Authorizer
> relies on a user's database of some sort, it seems to work OK (supposedly,
> the user DB would be updated if the user left). It would be good to think
> through use cases and figure out how this could be improved.
>
> Ismael
>
> On Mon, Sep 5, 2016 at 1:01 PM, Rajini Sivaram <rajinisivaram@googlemail.com
>> wrote:
>
>> Mickael,
>>
>> I imagine it is fairly easy in MessageHub to deal with expired SASL/PLAIN
>> credentials since checks can be added to the interceptor in the broker.
>>
>> Ismael,
>>
>> Is it really feasible in general to deal with expired credentials in
>> Authorizers? It sort of expects tight coupling between authenticator and
>> authorizer, Not sure how an authorizer would deal with certificate expiry
>> or certificate revocation when using SSL client auth for instance.
>>
>>
>> On Mon, Sep 5, 2016 at 11:20 AM, Ismael Juma <is...@juma.me.uk> wrote:
>>
>> > Hi Mickael,
>> >
>> > The Kerberos ticket refresh mechanism is there for new connections, not
>> > existing connections. Currently, the suggested approach is to rely on the
>> > authorizer to deal with expired credentials. Would this work for you?
>> >
>> > Ismael
>> >
>> > On Mon, Sep 5, 2016 at 11:13 AM, Mickael Maison <
>> mickael.maison@gmail.com>
>> > wrote:
>> >
>> > > Hi,
>> > >
>> > > While Kerberos has a mechanism to refresh its tickets, SASL PLAIN has
>> > > no such feature. This means if a client is connected, as far as I can
>> > > tell, we have currently no way of disconnecting him, revoking his
>> > > credentials won't help.
>> > >
>> > > I think it would be useful to have a way to force clients to refresh
>> > > their SASL session periodically and disconnect them if their
>> > > credentials have expired.
>> > >
>> > >
>> > > What do you think ?
>> > >
>> >
>>
>>
>>
>> --
>> Regards,
>>
>> Rajini
>>

Re: SASL session expiry

Posted by Ismael Juma <is...@juma.me.uk>.

Hi Rajini,

It's a good question and it depends on a number of details. For example,
for short-lived certificates with long-lived connections, it would seem
that one would have to duplicate some logic performed by the TLS stack on
the Authorizer, which is not ideal. For the case where the Authorizer
relies on a user's database of some sort, it seems to work OK (supposedly,
the user DB would be updated if the user left). It would be good to think
through use cases and figure out how this could be improved.

Ismael

On Mon, Sep 5, 2016 at 1:01 PM, Rajini Sivaram <rajinisivaram@googlemail.com
> wrote:

> Mickael,
>
> I imagine it is fairly easy in MessageHub to deal with expired SASL/PLAIN
> credentials since checks can be added to the interceptor in the broker.
>
> Ismael,
>
> Is it really feasible in general to deal with expired credentials in
> Authorizers? It sort of expects tight coupling between authenticator and
> authorizer, Not sure how an authorizer would deal with certificate expiry
> or certificate revocation when using SSL client auth for instance.
>
>
> On Mon, Sep 5, 2016 at 11:20 AM, Ismael Juma <is...@juma.me.uk> wrote:
>
> > Hi Mickael,
> >
> > The Kerberos ticket refresh mechanism is there for new connections, not
> > existing connections. Currently, the suggested approach is to rely on the
> > authorizer to deal with expired credentials. Would this work for you?
> >
> > Ismael
> >
> > On Mon, Sep 5, 2016 at 11:13 AM, Mickael Maison <
> mickael.maison@gmail.com>
> > wrote:
> >
> > > Hi,
> > >
> > > While Kerberos has a mechanism to refresh its tickets, SASL PLAIN has
> > > no such feature. This means if a client is connected, as far as I can
> > > tell, we have currently no way of disconnecting him, revoking his
> > > credentials won't help.
> > >
> > > I think it would be useful to have a way to force clients to refresh
> > > their SASL session periodically and disconnect them if their
> > > credentials have expired.
> > >
> > >
> > > What do you think ?
> > >
> >
>
>
>
> --
> Regards,
>
> Rajini
>

Re: SASL session expiry

Posted by Rajini Sivaram <ra...@googlemail.com>.

Mickael,

I imagine it is fairly easy in MessageHub to deal with expired SASL/PLAIN
credentials since checks can be added to the interceptor in the broker.

Ismael,

Is it really feasible in general to deal with expired credentials in
Authorizers? It sort of expects tight coupling between authenticator and
authorizer, Not sure how an authorizer would deal with certificate expiry
or certificate revocation when using SSL client auth for instance.

On Mon, Sep 5, 2016 at 11:20 AM, Ismael Juma <is...@juma.me.uk> wrote:

> Hi Mickael,
>
> The Kerberos ticket refresh mechanism is there for new connections, not
> existing connections. Currently, the suggested approach is to rely on the
> authorizer to deal with expired credentials. Would this work for you?
>
> Ismael
>
> On Mon, Sep 5, 2016 at 11:13 AM, Mickael Maison <mi...@gmail.com>
> wrote:
>
> > Hi,
> >
> > While Kerberos has a mechanism to refresh its tickets, SASL PLAIN has
> > no such feature. This means if a client is connected, as far as I can
> > tell, we have currently no way of disconnecting him, revoking his
> > credentials won't help.
> >
> > I think it would be useful to have a way to force clients to refresh
> > their SASL session periodically and disconnect them if their
> > credentials have expired.
> >
> >
> > What do you think ?
> >
>

-- 
Regards,

Rajini

Re: SASL session expiry

Posted by Ismael Juma <is...@juma.me.uk>.

Hi Mickael,

The Kerberos ticket refresh mechanism is there for new connections, not
existing connections. Currently, the suggested approach is to rely on the
authorizer to deal with expired credentials. Would this work for you?

Ismael

On Mon, Sep 5, 2016 at 11:13 AM, Mickael Maison <mi...@gmail.com>
wrote:

> Hi,
>
> While Kerberos has a mechanism to refresh its tickets, SASL PLAIN has
> no such feature. This means if a client is connected, as far as I can
> tell, we have currently no way of disconnecting him, revoking his
> credentials won't help.
>
> I think it would be useful to have a way to force clients to refresh
> their SASL session periodically and disconnect them if their
> credentials have expired.
>
>
> What do you think ?
>