THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Table of Contents |
---|
Status
Current state: Under Discussion Accepted
Discussion thread: kafka-dev
...
Client flow:
- If
sasl.mechanism
is not GSSAPI, send a Kafka handshake request packet with the mechanism name to the server. Otherwise go to Step 3.- Request Format: |
Kafka RequestHeader
|Kafka SaslHandhsakeRequestSaslHandshakeRequest
|
- Request Format: |
- Wait for response from the server. If the error code in the response is non-zero, indicating failure, report the error and fail authentication.
- Perform SASL authentication with the configured client mechanism. SASL authentication packets do not contain a Kafka RequestHeader.
- Client token Format: |
Size (int16int32)
|SASL client authentication token
|
- Client token Format: |
Server flow:
- Wait for first authentication packet from client
- If this packet is a not valid Kafka handshake request, go to Step 4 and process this packet as the first GSSAPI client token
- If the client mechanism in the Kafka handshake request received in Step 2 is enabled in the broker, send a response with error code zero and start authentication using the specified mechanism. Otherwise, send an error response including the list of enabled mechanisms and fail authentication.
- Response Format: |
Kafka ResponseHeader
|Kafka SaslHandhsakeResponseSaslHandshakeResponse
|
- Response Format: |
- Perform SASL authentication with the selected mechanism. If mechanism exchange was skipped, process the initial packet that was received from the client first. SASL authentication packets are expected without a Kafka RequestHeader until SASL authentication exchange completes. SASL server authentication packets are sent back without a Kafka response header.
- Server token Format: |
Size (int16int32)
|SASL server authentication token
|
- Server token Format: |
...