May I get a jira account
Email id: [email protected]
On Sunday, 5 February, 2023 at 01:58:33 am IST, Sourav Biswas
<[email protected]> wrote:
Hello Kafka Dev,
Issue:Say, I need to configure multiple client (consumer/producer) listening
and publishing to different cluster inside same application (Same JVM). Both
cluster uses
- sasl.mechanism = GSSAPI- security.porotocol = SASL_PLAINTEXT
But, different 'sasl.kerberos.service.name'.
Now, considering above configuration, client will create a KafkaChannel using
SaslChannelBuilder, which uses a
LoginManager.https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L170
For this case, it should create multiple LoginManager for each cluster but it
is creating only one. Because of this Authentication is failing for all cluster
except one.
Reason:
A static Map of login managers is maintained, with key of LoginMetadata
STATIC_INSTANCES.put(loginMetadata, loginManager);
-
https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L109
-
https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L113
LoginMetadata only considers following fields to maintains its uniqueness.
final T configInfo; // "KafkaClient"; Same for all cluster
final Class<? extends Login> loginClass; // Same for all clusester
final Class<? extends AuthenticateCallbackHandler> loginCallbackClass;
// Same for all cluster
Possible fix:Need to consider more fields (
sasl.kerberos.service.name/client.id/somethin-else) to maintain more granular
uniqueness.
Note:If you feel it's a bug, then I can raise a PR if I get a jira. Please
share your thoughts.
~ Sourav
