Rajini Sivaram created KAFKA-10798:
--------------------------------------
Summary: Failed authentication delay doesn't work with some SASL
authentication failures
Key: KAFKA-10798
URL: https://issues.apache.org/jira/browse/KAFKA-10798
Project: Kafka
Issue Type: Bug
Components: security
Reporter: Rajini Sivaram
Assignee: Rajini Sivaram
Fix For: 2.8.0
KIP-306 introduced the config `connection.failed.authentication.delay.ms` to
delay connection closing on brokers for failed authentication to limit the rate
of retried authentications from clients in order to avoid excessive
authentication load on brokers from failed clients. We rely on authentication
failure response to be delayed in this case to prevent clients from detecting
the failure and retrying sooner.
SaslServerAuthenticator delays response for SaslAuthenticationException, but
not for SaslException, even though SaslException is also converted into
SaslAuthenticationException and processed as an authentication failure by both
server and clients. As a result, connection delay is not applied in many
scenarios like SCRAM authentication failures.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
