Table of Contents |
---|
Status
Current state: Discuss Discarded
Discussion thread: here [Change the link from the KIP proposal email archive to your own email thread]
JIRA:
Jira | ||||||
---|---|---|---|---|---|---|
|
Jira server ASF JIRA serverId 5aa69414-a9e9-3523-82ec-879b028fb15b key KAFKA-3302
Motivation
Currently the Kafka java client does not support different login contexts from within the same JVM.
IBM MessageHub has encountered many users asking for this functionality, e.g. having multiple consumers and producers in a single JVM that consumer/produce to different Kafka clusters, each requiring specific credentials.
Public Interfaces
...
A new LoginModule
class will be added to be referenced by fully qualified name in jaas.conf
, e.g.
org.apache.kafka.common.security.plain.MultiUserPlainLoginModule
and a new public interface such as
public interface CredentialProvider {
public String getUserName(String clientId);
public char[] getPassword(String clientId);
}
A CredentialProvider uses the client.id
property from the consumer.properties/producer.properties file, and provides username and password corresponding to that clientid .
The user should provide an implementation of CredentialProvider but a sample implementation that reads values from jaas.conf
will be supplied.
Example of jaas.conf :
KafkaClient {
org.apache.kafka.common.security.plain.MultiUserPlainLoginModule
serviceName="kafka"
credentialProvider="org.apache.kafka.common.security.plain.DefaultCredentialProvider";
};
Proposed Changes
MultiUserPlainLoginModule
on inititialize(Subject..)
adds a specific Principal to the subject which has a handle to an instance of CredentialProvider
SaslClientCallbackHandler saves the consumer/producer configs passed to configure(...)
SaslClientCallbackHandler on handle(Callback[])
will check if the subject contains the multi-user principal,
and if so will delegate the retrieval of username and password to the CredentialProvider, else will keep the current behavior
This KIP becomes trivial after KIP-85: Dynamic JAAS configuration for Kafka clients
KIP-85 not only makes multi login easy to implement, but also removes the need for a pluggable interface to retrieve credentials not stored in jaas.conf
Proposed Changes
LoginManager should no longer be a singleton.
On the client side, LoginManager caching will be keyed on the jaas configuration object.
...
Compatibility, Deprecation, and Migration Plan
- The old
PlainLoginModule
and its expectedjaas.conf
format can remain unchanged for backward compatibility for users that don't require the new functionality
...