You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2023/01/05 19:28:07 UTC

[GitHub] [kafka] vladimirdyuzhev opened a new pull request, #13081: Re-using callbackHandler for refreshing Kerberos TGT when keytab is not used

vladimirdyuzhev opened a new pull request, #13081:
URL: https://github.com/apache/kafka/pull/13081

   When keytab file is not used, and the necessary configuration data are provided by the SASL callback handler, the Kerberos TGT renewal fails because the code is not re-using the configured CallbackHandler in the re-login sequence.
   
   The error is:
   
   ```
   javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication information from the user
   ```
   
   The change preserves the instance of the CallbackHandler that was used to login into Kerberos and passes it to the LoginContext when TGT needs to be renewed. 
   
   The change is tested in DIT with live Kafka and AD KRB instances in our current project.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] rajinisivaram commented on a diff in pull request #13081: Re-using callbackHandler for refreshing Kerberos TGT when keytab is not used

Posted by GitBox <gi...@apache.org>.

rajinisivaram commented on code in PR #13081:
URL: https://github.com/apache/kafka/pull/13081#discussion_r1063281046


##########
clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java:
##########
@@ -90,6 +91,7 @@ public void configure(Map<String, ?> configs, String contextName, Configuration
         this.minTimeBeforeRelogin = (Long) configs.get(SaslConfigs.SASL_KERBEROS_MIN_TIME_BEFORE_RELOGIN);
         this.kinitCmd = (String) configs.get(SaslConfigs.SASL_KERBEROS_KINIT_CMD);
         this.serviceName = getServiceName(configs, contextName, configuration);
+        this.callbackHandler = callbackHandler;

Review Comment:
   We could add a protected method `loginCallbackHandler()` to AbstractLogin (similar to `contextName()`) instead of storing it here as well.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] vladimirdyuzhev commented on pull request #13081: Re-using callbackHandler for refreshing Kerberos TGT when keytab is not used

Posted by GitBox <gi...@apache.org>.

vladimirdyuzhev commented on PR #13081:
URL: https://github.com/apache/kafka/pull/13081#issuecomment-1372892329

   Some tests are failed, but apparently it has nothing to do with Kerberos:
   
   ```
   testSendNonCompressedMessageWithCreateTime(String) > kafka.api.PlaintextProducerSendTest.testSendNonCompressedMessageWithCreateTime(String)[1] FAILED
   [2023-01-05T21:14:03.931Z]     java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.InvalidReplicationFactorException: Replication factor: 2 larger than available brokers: 1.
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] vladimirdyuzhev commented on a diff in pull request #13081: Re-using callbackHandler for refreshing Kerberos TGT when keytab is not used

Posted by GitBox <gi...@apache.org>.

vladimirdyuzhev commented on code in PR #13081:
URL: https://github.com/apache/kafka/pull/13081#discussion_r1063475320


##########
clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java:
##########
@@ -90,6 +91,7 @@ public void configure(Map<String, ?> configs, String contextName, Configuration
         this.minTimeBeforeRelogin = (Long) configs.get(SaslConfigs.SASL_KERBEROS_MIN_TIME_BEFORE_RELOGIN);
         this.kinitCmd = (String) configs.get(SaslConfigs.SASL_KERBEROS_KINIT_CMD);
         this.serviceName = getServiceName(configs, contextName, configuration);
+        this.callbackHandler = callbackHandler;

Review Comment:
   We can extract `loginCallbackHandler()` into AbstractLogin, true. I was trying to limit the change to the Kerberos code because I don't have a way to verify the impact across all other login methods.
   
   I will create JIRA, no problem. 
   
   I'm not immediately sure how to create a test for it within the Kafka code base - I don't see the live Kerberos tests in the tests/ tree. Will look into that.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] vladimirdyuzhev commented on pull request #13081: Re-using callbackHandler for refreshing Kerberos TGT when keytab is not used

Posted by "vladimirdyuzhev (via GitHub)" <gi...@apache.org>.

vladimirdyuzhev commented on PR #13081:
URL: https://github.com/apache/kafka/pull/13081#issuecomment-1419634909

   Created JIRA [KAFKA-14681](https://issues.apache.org/jira/browse/KAFKA-14681)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] github-actions[bot] commented on pull request #13081: Re-using callbackHandler for refreshing Kerberos TGT when keytab is not used

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] commented on PR #13081:
URL: https://github.com/apache/kafka/pull/13081#issuecomment-1601966210

   This PR is being marked as stale since it has not had any activity in 90 days. If you would like to keep this PR alive, please ask a committer for review. If the PR has  merge conflicts, please update it with the latest from trunk (or appropriate release branch) <p> If this PR is no longer valid or desired, please feel free to close it. If no activity occurrs in the next 30 days, it will be automatically closed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] rajinisivaram commented on pull request #13081: Re-using callbackHandler for refreshing Kerberos TGT when keytab is not used

Posted by GitBox <gi...@apache.org>.

rajinisivaram commented on PR #13081:
URL: https://github.com/apache/kafka/pull/13081#issuecomment-1373402351

   @vladimirdyuzhev Thanks for the PR. Since this is a security-related change, can we create a JIRA with the details from the PR description and include the ticket in the PR title? Can we also add a test to the PR?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] vladimirdyuzhev commented on a diff in pull request #13081: Re-using callbackHandler for refreshing Kerberos TGT when keytab is not used

Posted by "vladimirdyuzhev (via GitHub)" <gi...@apache.org>.

vladimirdyuzhev commented on code in PR #13081:
URL: https://github.com/apache/kafka/pull/13081#discussion_r1091084183


##########
clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java:
##########
@@ -90,6 +91,7 @@ public void configure(Map<String, ?> configs, String contextName, Configuration
         this.minTimeBeforeRelogin = (Long) configs.get(SaslConfigs.SASL_KERBEROS_MIN_TIME_BEFORE_RELOGIN);
         this.kinitCmd = (String) configs.get(SaslConfigs.SASL_KERBEROS_KINIT_CMD);
         this.serviceName = getServiceName(configs, contextName, configuration);
+        this.callbackHandler = callbackHandler;

Review Comment:
   I have moved the loginHandler to AbstractLogin and added a test.
   
   I've sent an email to private@kafka.apache.org to create a JIRA account for me to open a security issue.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org