Re: Understanding the SASL/PLAIN mechanism

Tue, 01 Feb 2022 09:06:37 -0800 

Hello all,
    Anyone involved in Kafka's SASL support got time to help with this?
Thankfully KIP-255 (
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=75968876)
helped shed light on things but from the SASL/OAUTHBEARER perspective
instead of SASL/PLAIN, but if anyone has time to help me better understand
what it would take to implement a custom SASL mechanism for Kafka, I'd
greatly appreciate it.

Take care,

Jeremy


On Fri, Dec 17, 2021 at 10:36 AM Jeremy Whitlock <jcscoob...@gmail.com>
wrote:

> Hello Kafka Dev,
>     I realize that this question might be more SASL than Kafka related,
> but after endless Googling and code browsing, I'm not understanding a few
> things.  I've looked at all of the code for SASL/PLAIN and SASL/OAUTHBEARER
> but when attempting to implement my own custom SASL mechanism, there are
> gaps in my understanding and I'm really trying to make sure I
> understand things before just copying/pasting/refactoring and hoping for
> the best.
>
> Does someone have a little time to explain the execution path for
> SASL/PLAIN so that I can eventually implement my own custom mechanism?
> Here are a few questions I had after spending a good bit of time trying to
> figure this out on my own:
>
> 1. What runs where?  (Where is the LoginModule run, where are the
> callbacks ran, how are SaslClient/SaslServer used, ...)
>
> 2. A follow-up to #1 is that the SASL/PLAIN implementation doesn't seem to
> have a custom SaslClient implementation but does have a custom SaslServer
> implementation.  Why isn't a SaslClient required for SASL/PLAIN?
>
> 3. Are callbacks required for anything more than pluggability?  I ask
> because for PlainLoginModule, JAAS states that the LoginModule should
> perform authentication in login() but PlainLoginModule doesn't do anything
> of the sort, just adding details to the Subject.  SaslChannelBuilder wires
> up a PlainServerCallbackHandler to do the real work but if pluggability
> isn't required, couldn't login() do it?
>
> I think that's it for now.  Ultimately, I want to create my own SASL
> mechanism that works in Kafka to do external authentication using more than
> just username and password.
>
> Take care,
>
> Jeremy
>

Reply via email to