Hi Rajini, Yes in our case, I can see how we would add the functionality, but I was wondering if people might be interested to directly have such a feature in Kafka. At the moment, the authorization logic is only invoked for new SASL (and apparently Kerberos) connections. I feel like having the options to periodically recheck credentials for active connections would be beneficial.
On Mon, Sep 5, 2016 at 1:22 PM, Ismael Juma <ism...@juma.me.uk> wrote: > Hi Rajini, > > It's a good question and it depends on a number of details. For example, > for short-lived certificates with long-lived connections, it would seem > that one would have to duplicate some logic performed by the TLS stack on > the Authorizer, which is not ideal. For the case where the Authorizer > relies on a user's database of some sort, it seems to work OK (supposedly, > the user DB would be updated if the user left). It would be good to think > through use cases and figure out how this could be improved. > > Ismael > > On Mon, Sep 5, 2016 at 1:01 PM, Rajini Sivaram <rajinisiva...@googlemail.com >> wrote: > >> Mickael, >> >> I imagine it is fairly easy in MessageHub to deal with expired SASL/PLAIN >> credentials since checks can be added to the interceptor in the broker. >> >> Ismael, >> >> Is it really feasible in general to deal with expired credentials in >> Authorizers? It sort of expects tight coupling between authenticator and >> authorizer, Not sure how an authorizer would deal with certificate expiry >> or certificate revocation when using SSL client auth for instance. >> >> >> On Mon, Sep 5, 2016 at 11:20 AM, Ismael Juma <ism...@juma.me.uk> wrote: >> >> > Hi Mickael, >> > >> > The Kerberos ticket refresh mechanism is there for new connections, not >> > existing connections. Currently, the suggested approach is to rely on the >> > authorizer to deal with expired credentials. Would this work for you? >> > >> > Ismael >> > >> > On Mon, Sep 5, 2016 at 11:13 AM, Mickael Maison < >> mickael.mai...@gmail.com> >> > wrote: >> > >> > > Hi, >> > > >> > > While Kerberos has a mechanism to refresh its tickets, SASL PLAIN has >> > > no such feature. This means if a client is connected, as far as I can >> > > tell, we have currently no way of disconnecting him, revoking his >> > > credentials won't help. >> > > >> > > I think it would be useful to have a way to force clients to refresh >> > > their SASL session periodically and disconnect them if their >> > > credentials have expired. >> > > >> > > >> > > What do you think ? >> > > >> > >> >> >> >> -- >> Regards, >> >> Rajini >>
