...
The PR does not yet have unit or integration tests – I will add these if/when the general implementation approach is verified by the community as being appropriate. I have stepped through the code in the debugger, and I can see from this exercise and from the emitted log messages that the implementation does in fact work. For example, connections are re-authenticated a bit more frequently than once a minute with this JAAS configuration:
Code Block | ||||
---|---|---|---|---|
| ||||
KafkaClient {
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
unsecuredLoginLifetimeSeconds="60"
unsecuredLoginStringClaim_sub="admin";
}; |
The final issue to describe is how/when a KafkaChannel
instance (each of which corresponds to a unique network connection) is told to re-authenticate.
We define the class org.apache.kafka.common.security.expiring.internals.ClientChannelCredentialTracker
to keep track of the various KafkaChannel
instances and the ExpiringCredential
instances that they authenticated with. The following code in SaslChannelBuilder
adds an instance of ClientChannelCredentialTracker
to the private credentials of the Subject
associated with the SASL mechanism when the feature is enabled:
...