You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Andras Csaki (Jira)" <ji...@apache.org> on 2022/06/10 14:27:00 UTC
[jira] [Resolved] (KAFKA-13848) Clients remain connected after SASL re-authentication fails
[ https://issues.apache.org/jira/browse/KAFKA-13848?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andras Csaki resolved KAFKA-13848.
----------------------------------
Reviewer: Luke Chen
Resolution: Fixed
Thank you [~showuon] , [~tombentley] and Sam Barker for the review! I'm leaving "fix version" empty for now.
> Clients remain connected after SASL re-authentication fails
> -----------------------------------------------------------
>
> Key: KAFKA-13848
> URL: https://issues.apache.org/jira/browse/KAFKA-13848
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 3.1.0
> Environment: https://github.com/acsaki/kafka-sasl-reauth
> Reporter: Andras Csaki
> Assignee: Andras Csaki
> Priority: Minor
> Labels: Authentication, OAuth2, SASL
>
> Clients remain connected and able to produce or consume despite an expired OAUTHBEARER token.
> The problem can be reproduced using the https://github.com/acsaki/kafka-sasl-reauth project by starting the embedded OAuth2 server and Kafka, then running the long running consumer in OAuthBearerTest and then killing the OAuth2 server thus making the client unable to re-authenticate.
> Root cause seems to be SaslServerAuthenticator#calcCompletionTimesAndReturnSessionLifetimeMs failing to set ReauthInfo#sessionExpirationTimeNanos when tokens have already expired (when session life time goes negative), in turn causing KafkaChannel#serverAuthenticationSessionExpired returning false and finally SocketServer not closing the channel.
> The issue is observed with OAUTHBEARER but seems to have a wider impact on SASL re-authentication.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)