[
https://issues.apache.org/jira/browse/KAFKA-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Konstantine Karantasis resolved KAFKA-10895.
--------------------------------------------
Resolution: Fixed
> Basic auth extension's JAAS config can be corrupted by other plugins
> --------------------------------------------------------------------
>
> Key: KAFKA-10895
> URL: https://issues.apache.org/jira/browse/KAFKA-10895
> Project: Kafka
> Issue Type: Bug
> Components: KafkaConnect
> Affects Versions: 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.1.1, 2.3.0, 2.2.1, 2.2.2,
> 2.4.0, 2.3.1, 2.5.0, 2.4.1, 2.6.0, 2.5.1, 2.7.0
> Reporter: Chris Egerton
> Assignee: Chris Egerton
> Priority: Major
> Fix For: 2.3.2, 2.4.2, 2.5.2, 2.8.0, 2.7.1, 2.6.2
>
>
> The Connect
> [BasicAuthSecurityRestExtension|https://github.com/apache/kafka/blob/trunk/connect/basic-auth-extension/src/main/java/org/apache/kafka/connect/rest/basic/auth/extension/BasicAuthSecurityRestExtension.java]'s
> doc states that "An entry with the name {{KafkaConnect}} is expected in the
> JAAS config file configured in the JVM."
> This is technically accurate, as the
> [JaasBasicAuthFilter|https://github.com/apache/kafka/blob/afa5423356d3d2a2135a51200573b45d097f6d60/connect/basic-auth-extension/src/main/java/org/apache/kafka/connect/rest/basic/auth/extension/JaasBasicAuthFilter.java#L61-L63]
> that the extension installs creates a {{LoginContext}} using a
> [constructor|https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/LoginContext.html#LoginContext-java.lang.String-javax.security.auth.callback.CallbackHandler-]
> that does not include a
> [Configuration|https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html]
> to be passed in, which causes
> [Configuration::getConfiguration|https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html#getConfiguration--]
> to be used under the hood by the {{LoginContext}} to fetch the JAAS
> configuration to use for authentication.
> Unfortunately, other plugins (connectors, converters, even other REST
> extensions, etc.) may invoke
> [Configuration::setConfiguration|https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html#setConfiguration-javax.security.auth.login.Configuration-]
> and install a completely different JAAS configuration onto the JVM. If the
> user starts their JVM with a JAAS config set via the
> {{-Djava.security.auth.login.config}} property, that JAAS config can then be
> completely overwritten, and if the basic auth extension depends on the JAAS
> config that's installed at startup (as opposed to at runtime by a plugin), it
> will break.
> It's debatable whether this can or should be addressed with a code fix. One
> possibility is to cache the current JVM's configuration as soon as the basic
> auth extension is loaded by invoking {{Configuration::getConfiguration}} and
> saving the resulting configuration for future {{LoginContext}}
> instantiations. However, it may be possible that users actually rely on
> runtime plugins being able to install custom configurations at runtime for
> their basic auth extension, in which case this change would actually be
> harmful.
> Regardless, it's worth noting this odd behavior here in the hopes that it can
> save some time for others who encounter the same issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
