THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The PR does not yet have unit or integration tests – I will add these if/when the general implementation approach is verified by the community as being appropriate. I have stepped through the code in the debugger, and I can see from this exercise and from the emitted log messages that the implementation does in fact work. For example, connections are re-authenticated a bit more frequently than once a minute with this JAAS configuration:
| Code Block | ||||
|---|---|---|---|---|
| ||||
KafkaClient {
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
unsecuredLoginLifetimeSeconds="60"
unsecuredLoginStringClaim_sub="admin";
}; |
The final issue to describe is how/when a KafkaChannel instance (each of which corresponds to a unique network connection) is told to re-authenticate.
We define the class org.apache.kafka.common.security.expiring.internals.ClientChannelCredentialTracker to keep track of the various KafkaChannel instances and the ExpiringCredential instances that they authenticated with. The following code in SaslChannelBuilder adds an instance of ClientChannelCredentialTracker to the private credentials of the Subject associated with the SASL mechanism when the feature is enabled:
...