THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The Kafka Java client implementation skips mechanism handshake request flow for GSSAPI to remain interoperable with for inter-broker connections if inter.broker.procotol.version is 0.9.0.x brokers, enabling rolling upgrade of 0.9.0.x clusters which use SASL for replication. Non-Java clients may send mechanism name Handshake requests are sent by other clients even for GSSAPI from 0.10.0.0 onwards.
Client flow:
- If
sasl.mechanismis not GSSAPI, send a handshake request packet with the mechanism name to the server. Otherwise go to Step 3.- Packet Format: |
KafkaRequestHeader|Mechanism(String) |
- Packet Format: |
- Wait for response from the server. If the error code in the response is non-zero, indicating failure, report the error and fail authentication.
- Perform SASL authentication with the configured client mechanism
Server flow:
- Wait for first authentication packet from client
- If this packet is a not valid mechanism handshake request, go to Step 4 and process this packet as the first GSSAPI client token
- If the client mechanism received in Step 2 is enabled in the broker, send a response with error code zero and start authentication using the specified mechanism. Otherwise, send an error response including the list of enabled mechanisms and fail authentication.
- Packet Format: | KafkaResponseHeader | ErrorCode (
Int16) |EnabledMechanisms(ArrayOf(String)) |
- Packet Format: | KafkaResponseHeader | ErrorCode (
- Perform SASL authentication with the selected mechanism. If mechanism exchange was skipped, process the initial packet that was received from the client first.
...
Existing clients will continue to use GSSAPI as the SASL mechanism and will not be impacted by the changes. Since default callback handlers can be used for SASL mechanisms that are implemented in Kafka, no configuration changes are required.
Rolling upgrade from 0.9.0.
...
x
Rolling upgrade with GSSAPI as the SASL mechanism can be performed using a simple standard rolling restart with no change in properties inter.broker.protocol.version set to 0.9.0.x in the first sequence of the upgrade. By default, if sasl.mechanism property is not specified, GSSAPI will be used without any exchange of mechanisms. Handshake requests are not sent for GSSAPI when inter.broker.protocol.version is 0.9.0.x. Once the cluster is upgraded, inter.broker.protocol.version can be set to 0.10.0, enabling handshake requests for all SASL connections. If the mechanism is to be changed, this rolling restart can be followed by the addition of the new mechanism as described below.
...