THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
| Table of Contents |
|---|
Status
Current state: Under Discussion Accepted
Discussion thread: kafka-dev
...
sasl.mechanism(String) SASL mechanism used for client connections. This may be any mechanism for which a security provider is available in the JVM. Default value is GSSAPI.sasl.enabled.mechanisms(List<String>) The list of SASL mechanisms enabled in the Kafka server. This may include any mechanism for which a security provider is available in the JVM. Default value is GSSAPI.sasl.mechanism.inter.broker.protocol(String) SASL mechanism used for inter-broker connections. Default value is GSSAPI.
...
Clients may enable only one mechanism and the mechanism name is sent to the server before any SASL authentication packets are sent, if the mechanism is not GSSAPI. Server fails the authentication if the client mechanism is not enabled in the broker. For inter-broker communication, sasl.mechanism.inter.broker.protocol configuration on the broker is used by the client-mode connection to choose the SASL mechanism.
...
Client flow:
- If
sasl.mechanismis not GSSAPI, send a Kafka handshake request packet with the mechanism name to the server. Otherwise go to Step 3.- Request Format: |
Kafka RequestHeader|Kafka SaslHandhsakeRequestSaslHandshakeRequest|
- Request Format: |
- Wait for response from the server. If the error code in the response is non-zero, indicating failure, report the error and fail authentication.
- Perform SASL authentication with the configured client mechanism. SASL authentication packets do not contain a Kafka RequestHeader.
- Client token Format: |
Size (int16int32)|SASL client authentication token|
- Client token Format: |
Server flow:
- Wait for first authentication packet from client
- If this packet is a not valid Kafka handshake request, go to Step 4 and process this packet as the first GSSAPI client token
- If the client mechanism in the Kafka handshake request received in Step 2 is enabled in the broker, send a response with error code zero and start authentication using the specified mechanism. Otherwise, send an error response including the list of enabled mechanisms and fail authentication.
- Response Format: |
Kafka ResponseHeader|Kafka SaslHandhsakeResponseSaslHandshakeResponse|
- Response Format: |
- Perform SASL authentication with the selected mechanism. If mechanism exchange was skipped, process the initial packet that was received from the client first. SASL authentication packets are expected without a Kafka RequestHeader until SASL authentication exchange completes. SASL server authentication packets are sent back without a Kafka response header.
- Server token Format: |
Size (int16int32)|SASL server authentication token|
- Server token Format: |
...