Status

Current state: Discuss

Discussion thread: here 

JIRA:

Motivation

Currently the Kafka java client does not support different login contexts from within the same JVM.
IBM MessageHub has encountered many users asking for this functionality, e.g. having multiple consumers and producers in a single JVM that consumer/produce to different Kafka clusters, each requiring specific credentials.

Public Interfaces

For SASL PLAIN:

A new LoginModule class will be added to be referenced by fully qualified name in jaas.conf, e.g.

...

    credentialProvider="org.apache.kafka.common.security.plain.DefaultCredentialProvider";

};

FOR GSSAPI:

TBD

Proposed Changes

MultiUserPlainLoginModule on inititialize(Subject..) adds a specific Principal to the subject which has a handle to an instance of CredentialProvider

SaslClientCallbackHandler saves the consumer/producer configs passed to configure(...)

SaslClientCallbackHandler on handle(Callback[]) will check if the subject contains the multi-user principal,
and if so will delegate the retrieval of username and password to the CredentialProvider, else will keep the current behavior

 LoginManager should no longer be a singleton.

Compatibility, Deprecation, and Migration Plan

• The old PlainLoginModule and its expected jaas.conf format can remain unchanged for backward compatibility for users that don't require the new functionality

...