You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Rajini Sivaram (Jira)" <ji...@apache.org> on 2019/12/09 18:59:00 UTC

[jira] [Resolved] (KAFKA-9241) SASL Clients are not forced to re-authenticate if they don't leverage SaslAuthenticateRequest

     [ https://issues.apache.org/jira/browse/KAFKA-9241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rajini Sivaram resolved KAFKA-9241.
-----------------------------------
    Fix Version/s: 2.5.0
         Reviewer: Rajini Sivaram
       Resolution: Fixed

> SASL Clients are not forced to re-authenticate if they don't leverage SaslAuthenticateRequest
> ---------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-9241
>                 URL: https://issues.apache.org/jira/browse/KAFKA-9241
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 2.2.0, 2.3.0, 2.2.1
>            Reporter: Ron Dagostino
>            Assignee: Ron Dagostino
>            Priority: Major
>              Labels: security, security-issue
>             Fix For: 2.5.0
>
>
> Brokers are supposed to force SASL clients to re-authenticate (and kill such connections in the absence of a timely and successful re-authentication) when SASL Re-Authentication [(KIP-368)|https://cwiki.apache.org/confluence/display/KAFKA/KIP-368%3A+Allow+SASL+Connections+to+Periodically+Re-Authenticate]  is enabled via a positive `connections.max.reauth.ms` configuration value.  There is a flaw in the logic that causes connections to not be killed in the absence of a timely and successful re-authentication _if the client does not leverage the SaslAuthenticateRequest API_ (which was defined in [KIP-152|https://cwiki.apache.org/confluence/display/KAFKA/KIP-152+-+Improve+diagnostics+for+SASL+authentication+failures]).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)