You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Viktor Somogyi-Vass (Jira)" <ji...@apache.org> on 2022/05/09 13:04:00 UTC

[jira] [Commented] (KAFKA-13848) Clients remain connected after SASL re-authentication fails

    [ https://issues.apache.org/jira/browse/KAFKA-13848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17533793#comment-17533793 ] 

Viktor Somogyi-Vass commented on KAFKA-13848:
---------------------------------------------

[~acsaki] please write an email to the dev@kafka.apache.org email list so they can add you as a contributors. After this you'll be able to assign the jira to yourself. You can raise a PR regradless though.
(more on contribution: https://kafka.apache.org/contributing)

> Clients remain connected after SASL re-authentication fails
> -----------------------------------------------------------
>
>                 Key: KAFKA-13848
>                 URL: https://issues.apache.org/jira/browse/KAFKA-13848
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 3.1.0
>         Environment: https://github.com/acsaki/kafka-sasl-reauth
>            Reporter: Andras Csaki
>            Assignee: Andras Csaki
>            Priority: Minor
>              Labels: Authentication, OAuth2, SASL
>
> Clients remain connected and able to produce or consume despite an expired OAUTHBEARER token.
> The problem can be reproduced using the https://github.com/acsaki/kafka-sasl-reauth project by starting the embedded OAuth2 server and Kafka, then running the long running consumer in OAuthBearerTest and then killing the OAuth2 server thus making the client unable to re-authenticate.
> Root cause seems to be SaslServerAuthenticator#calcCompletionTimesAndReturnSessionLifetimeMs failing to set ReauthInfo#sessionExpirationTimeNanos when tokens have already expired (when session life time goes negative), in turn causing KafkaChannel#serverAuthenticationSessionExpired returning false and finally SocketServer not closing the channel.
> The issue is observed with OAUTHBEARER but seems to have a wider impact on SASL re-authentication.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)