Versions Compared

Old Version 21

changes.mady.by.user Rajini Sivaram

Saved on

compared with

New Version 22

changes.mady.by.user Rajini Sivaram

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Client connections will use the property sasl.mechanism to specify the mechanism to be used for SASL authentication. Kafka servers may also specify the configuration option sasl.enabled.mechanisms to provide the list of enabled mechanisms when multiple mechanisms are enabled in the server. In order to plug in any SASL mechanism including custom mechanisms, mechanism will be specified as String rather than an enum with a restricted set of values.  GSSAPI will be used as the default mechanism for interoperability of new clients with 0.9.0.0 brokers. .x. If sasl.enabled.mechanisms is not specified, only GSSAPI will be enabled in the server. If a list of values is specified, GSSAPI will be enabled only if included in the list, allowing servers to be run with SASL without complex Kerberbos setup if required.

Clients may enable only one mechanism and the mechanism name is sent to the server before any SASL authentication packets are sent, if the mechanism is not GSSAPI. Server fails the authentication if the client mechanism is not enabled in the broker. For inter-broker communication, sasl.mechanism configuration on the broker is used by the client-mode connection to choose the SASL mechanism.

Support for multiple mechanisms in a broker

...

Client flow:

  1. If sasl.mechanism is not GSSAPI, send a packet with the mechanism name to the server. Otherwise go to Step 3.
    • Packet Format: | Version (Int16) | Mechanism (String) |
  2. Wait for response from the server. If the error code in the response is non-zero, indicating failure, report the error and fail authentication.
  3. Perform SASL authentication with the configured client mechanism

Server flow:

...

SASL/PLAIN is a simple username/password authentication mechanism that is typically used with TLS for encryption to implement secure authentication. Unlike Kerberos, PLAIN does not require complex authentication infrastructure. Adding a default implementation for PLAIN in Kafka enables a simpler authentication mechanism for organizations which do not already use Kerberos. SASL/PLAIN protocol and its uses are described in https://tools.ietf.org/html/rfc4616. .
The PR in KAFKA-2658 will be rebased on the extensible interface from this KIP for this implementation. For the default SASL/PLAIN implementation included in Kafka, the username specified as authentication ID will be used as the authorization ID and principal.

Testing

  • Due to the complexity of setting up Kerberos, limited unit testing has been implemented for SASL in the clients project. Along with the implementation for SASL/PLAIN, comprehensive unit tests will be added for the existing SASL implementation as well as the new interfaces. 

  • End-to-end tests will be added in the core project along with the existing SASL/Kerberos tests for SASL/PLAIN and multi-mechanism configuration

  • System tests will be added for SASL/PLAIN and for multi-mechanism support.

...