...
The final issue to describe is how/when a KafkaChannel
instance (each of which corresponds to a unique network connection) is told to re-authenticate.
We define the class org.apache.kafka.common.security.expiring.internals.ClientChannelCredentialTracker
to keep track of the various KafkaChannel
instances and the ExpiringCredential
instances that they authenticated with. When the feature is enabled we add an instance of this class to the private credentials of the Subject
associated with the SASL mechanism using this code in SaslChannelBuilder
:
Code Block | ||||
---|---|---|---|---|
| ||||
LoginManager loginManager = LoginManager.acquireLoginManager(entry.getValue(), mechanism, defaultLoginClass, configs);
loginManagers.put(mechanism, loginManager);
Subject subject = loginManager.subject();
if (mode == Mode.CLIENT) {
if (saslLoginRefreshReauthenticateEnable()) {
log.info("SASL Login Refresh Re-Authenticate ENABLED");
if (subject.getPrivateCredentials(ClientChannelCredentialTracker.class).isEmpty())
subject.getPrivateCredentials().add(new ClientChannelCredentialTracker());
} else
log.info("SASL Login Refresh Re-Authenticate DISABLED");
} |
. It is then up to the KafkaChannel
Compatibility, Deprecation, and Migration Plan
...