THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
| Table of Contents |
|---|
Status
Current state: Under Discussion Approved
Discussion thread: here
JIRA: TBD: KAFKA-6950
Release: 2.1.0
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
...
Kafka network threads are mainly responsible for establishing connections with clients and other brokers, performing authentication with them, receiving Kafka protocol requests and responses, and for sending out Kafka protocol requests and responses. Performing authentication is one of the most expensive operation performed in the network thread, so much so that it could end up saturating them, preventing from getting any useful work from being done. Given this, a misconfigured application trying to connect with incorrect (or stale) credentials could cause a denial of service like situation. To help mitigate this issue, this KIP proposes to introduce a way of delaying response to a failed authentication. This will also help with the case of a malicious application trying a brute force password attack.
Public Interfaces
This KIP proposes to add a new broker configuration connection.failed.authentication.delay.ms which specifies the amount of time (in milliseconds) to delay a failed authentication response and subsequent socket disconnection by. In general, this must be configured to be lower than the underlying network protocol timeout request.timeout.ms.
Configuration Name: connection.failed.authentication.delay.msType: LongINT
Explanation: This configuration specifies the amount of time in milliseconds by which a response to a failed authentication will be delayed by.
Default Value: 0100
Priority: LOW
Proposed Changes
...
Compatibility, Deprecation, and Migration Plan
This The change in this KIP is backward compatible - the default value for the parameter will be set to 0ms which is the same behavior as without the changes in this KIPas it does not change the protocol in any way. The only difference is that clients will see a 100ms delay on failed authentications.
Rejected Alternatives
None.