Status

Current state: Under Discussion

...

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

The JAAS configuration for various SASL mechanisms would benefit from the ability to substitute values based on delimited text.  For example, clients that connect via SASL/PLAIN (username/password) currently must specify the password directly in the configuration, like this:

...

This KIP proposes adding support for substitution within client JAAS configuration values for PLAIN and SCRAM-related SASL mechanisms in a backwards-compatible manner and making the functionality available to other existing (or future) configuration contexts where it is deemed appropriate.

Public Interfaces

The public interface in terms of code is depicted in the above UML diagram.  A set of 4 built-in substitution types will also be provided as described below.  The implementations of the built-in substitution types are not part of the public code; rather, the way the substitutions are invoked within a JASS configuration will be the public interface to their functionality.

...

$[foo/optional/modifiers/=optionalIdentifier]

Proposed Changes

This KIP proposes adding the above classes to support substitution into configuration values where it is deemed appropriate.  Specifically, this KIP proposes adding support for substitution within the configuration read by the following classes to allow clients leveraging the associated SASL mechanisms to retrieve their username and password from elsewhere if they so choose:

...

Note that it would likely be possible to support substitution into configuration values in contexts other than client JAAS configurations (for example, server JAAS configurations, or perhaps even the cluster configuration), but this KIP does not propose any of these possibilities.  If any such changes are desired then they should be proposed via separate KIPs for discussion.

Compatibility, Deprecation, and Migration Plan

There is a possibility that existing usernames or (more likely) passwords in existing client JAAS configurations could contain the "$[" and "]" delimiters.  This would cause a substitution to be attempted, which of course would fail and raise an exception.  This risk is low, but it nonetheless does need to be mitigated; therefore any already-existing login modules where substitution support is to be added (namely, the ones mentioned above) will only enable substitution if a key/value pair is explicitly added to the JAAS configuration as follows:

...

Existing behavior will remain unchanged in the absence of this explicit opt-in key/value pair.

Rejected Alternatives

This KIP does not define Callback or CallbackHandler implementations because configuration values are typically retrieved without using them (this is the case with PlainLoginModule and ScramLoginModule).

...