Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Status

Current state: Discuss Discarded

Discussion thread: here 

JIRA:

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyKAFKA-4180

...

Currently the Kafka java client does not support different login contexts from within the same JVM.
IBM MessageHub has encountered many users asking for this functionality, e.g. having multiple consumers and producers in a single JVM that consumer/produce to different Kafka clusters, each requiring specific credentials.

Public Interfaces

For SASL PLAIN:

...

This KIP becomes trivial after KIP-85: Dynamic JAAS configuration for Kafka clients

KIP-85 not only makes multi login easy to implement, but also removes the need for a pluggable interface to retrieve credentials not stored in jaas.conf

org.apache.kafka.common.security.plain.MultiUserPlainLoginModule

and a new public interface such as

public interface CredentialProvider {
    public String getUserName(String clientId); 
    public char[] getPassword(String clientId);
}

A CredentialProvider uses the client.id property from the consumer.properties/producer.properties file, and provides username and password corresponding to that clientid .
The user should provide an implementation of CredentialProvider but a sample implementation that reads values from jaas.conf will be supplied.

Example of jaas.conf :

KafkaClient {
   org.apache.kafka.common.security.plain.MultiUserPlainLoginModule
    serviceName="kafka"
    credentialProvider="org.apache.kafka.common.security.plain.DefaultCredentialProvider";
};

...

TBD

Proposed Changes

LoginManager should no longer be a singleton.

On the client side, LoginManager caching will be keyed on the jaas configuration object.

Compatibility, Deprecation, and Migration Plan

...