Versions Compared

Old Version 7

changes.mady.by.user Rajini Sivaram

Saved on

compared with

New Version Current

changes.mady.by.user Rajini Sivaram

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Status

Current state: Accepted"Under Discussion"

Discussion thread: here

JIRA: KAFKA-4764

...

  1. Improve diagnostics for SASL authentication failures.
  2. Reduce retries when authentication fails. Authentication failures should be treated as non-retriable exceptions rather than transient failures.
  3. Reduce blocking in clients when authentication fails. If connection to a broker fails authentication, metadata wait operations in producers and consumers should avoid unnecessary blocking and throw an exception indicating authentication failure.

...

SSL Authentication Failures

This KIP does not change protocol-level handling of SSL authentication failures.  Moving to a consistent protocol for SSL will break compatibility with existing brokers. But we have improved diagnostics for SSL by converting SSL exceptions to AuthenticationException under

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyKAFKA-5920
. The system property javax.net.debug can be also set on the client to obtain comprehensive diagnostics for this case,

...

 

Public Interfaces

SASL does not provide a mechanism-independent way of reporting authentication failures. So this KIP proposes to add error reporting for SASL using the Kafka protocol. A new SaslAuthenticate request will be added to enable this. SASL authentication messages are currently length-encoded message blobs that are processed by the SaslServer/SaslClient implementations for the SASL mechanism.  This KIP proposes to wrap these message blobs in SaslAuthenticate request/response messages defined in the Kafka protocol.

...

SaslAuthenticate Response (Version: 0) => error_code sasl_auth_bytes
  error_code => INT16
    error_message => NULLABLE_STRING
  sasl_auth_bytes => BYTES

...