THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The final issue to describe is how/when a KafkaChannel instance (each of which corresponds to a unique network connection) is told to re-authenticate.
We define the class org.apache.kafka.common.security.expiring.internals.ClientChannelCredentialTracker to keep track of the various KafkaChannel instances and the ExpiringCredential instances that they authenticated with. When the feature is enabled we add an instance of this class to the private credentials of the Subject associated with the SASL mechanism using this code in SaslChannelBuilder:
| Code Block | ||||
|---|---|---|---|---|
| ||||
LoginManager loginManager = LoginManager.acquireLoginManager(entry.getValue(), mechanism, defaultLoginClass, configs);
loginManagers.put(mechanism, loginManager);
Subject subject = loginManager.subject();
if (mode == Mode.CLIENT) {
if (saslLoginRefreshReauthenticateEnable()) {
log.info("SASL Login Refresh Re-Authenticate ENABLED");
if (subject.getPrivateCredentials(ClientChannelCredentialTracker.class).isEmpty())
subject.getPrivateCredentials().add(new ClientChannelCredentialTracker());
} else
log.info("SASL Login Refresh Re-Authenticate DISABLED");
} |
. It is then up to the KafkaChannel
Compatibility, Deprecation, and Migration Plan
...