[
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14194924#comment-14194924
]
Gwen Shapira commented on KAFKA-1686:
-------------------------------------
Yep, we normally only check ticket during the handshake.
It is probably different for sessions encrypted by SASL, and we never specified
if we want to use this feature.
When encrypting, the ticket is used for decryption, so it must be valid. I
think the client includes the ticket in the encrypted workload, so there's
always a recent ticket and again, the client renews it.
The part we need to worry about in the server is the ticket for Kafka's
authentication - since we need to keep it renewed to be able to accept
connections. My current idea is adding KerberosTicketManager, that will be
started by KafkaServer (similar to replicaManager, offsetManager, etc).
> Implement SASL/Kerberos
> -----------------------
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.9.0
> Reporter: Jay Kreps
> Assignee: Sriharsha Chintalapani
> Fix For: 0.9.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair
> to the client protocol. This request and response will each have only a
> single byte[] field and will be used to handle the SASL challenge/response
> cycle. Doing this will initialize the SaslServer instance and associate it
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the
> SSLEngine will need to also cover the SaslServer instance.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
