[
https://issues.apache.org/jira/browse/KAFKA-4764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15997421#comment-15997421
]
Rajini Sivaram commented on KAFKA-4764:
---------------------------------------
[~junrao] Yes, Zookeeper does the same as Kafka does today. As an example, with
a wrong password for the ZK client, the logs in Kafka show:
{quote}
DEBUG saslClient.evaluateChallenge(len=101)
(org.apache.zookeeper.client.ZooKeeperSaslClient)
DEBUG ClientCnxn:sendSaslPacket:length=276
(org.apache.zookeeper.client.ZooKeeperSaslClient)
INFO Unable to read additional data from server sessionid 0x15bd52108ef0003,
likely server has closed socket, closing socket connection and attempting
reconnect (org.apache.zookeeper.ClientCnxn)
{quote}
The issue with treating any disconnects during authentication as authentication
failures is that we may incorrectly report authentication failure for a
correctly configured client because a broker was restarting. Also, if we want
to treat authentication exceptions as non-retriable exceptions, we need to be
sure that the connection failure was actually an authentication exception. I
suppose if we want the simplest solution, we could simply log that connection
failed during authentication with a hint that it may be an authentication
failure. And retry as we do today.
The proposal in
[https://cwiki.apache.org/confluence/display/KAFKA/KIP-152+-+Improve+diagnostics+for+SASL+authentication+failures]
is different from the description in this JIRA. In case you haven't seen the
KIP, can you take a look? It is a much bigger change, but helps to ensure that
we can identify and treat authentication failures differently from any other
form of network error.
Thank you....
> Improve diagnostics for SASL authentication failures
> ----------------------------------------------------
>
> Key: KAFKA-4764
> URL: https://issues.apache.org/jira/browse/KAFKA-4764
> Project: Kafka
> Issue Type: Improvement
> Components: security
> Affects Versions: 0.10.2.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Fix For: 0.11.0.0
>
>
> At the moment, broker closes the client connection if SASL authentication
> fails. Clients see this as a connection failure and do not get any feedback
> for the reason why the connection was closed. Producers and consumers retry,
> attempting to create successful connections, treating authentication failures
> as transient failures. There are no log entries on the client-side which
> indicate that any of these connection failures were due to authentication
> failure.
> This JIRA will aim to improve diagnosis of authentication failures with the
> following changes:
> - Broker will send an authentication error code if SASL authentication fails,
> just before closing the connection. This will be treated as an invalid token
> by the client authenticator, and the error handling for invalid tokens will
> be updated to report authentication failure for this case. This is a bit of a
> hack, but would work with GSSAPI, PLAIN and SCRAM. SASL itself doesn't
> provide a mechanism-independent way of reporting authentication failures. An
> alternative would be to wrap SASL authentication in Kafka request/response to
> enables error codes to be sent as Kafka response, but that would be a much
> bigger change.
> - Log a warning in clients for authentication failures, distinguishing these
> from EOF exceptions due to connection failure
> - Blackout nodes to which connection failed due to authentication error, no
> more attempts will be made to connect to these nodes.
> - We should use the connection state to improve handling of producer/consumer
> requests, avoiding unnecessary blocking. This will not be addressed in this
> JIRA, KAFKA-3899 should be able to use the additional state from JIRA to fix
> this issue.
> This JIRA also does not change handling of SSL authentication failures.
> javax.net.debug provides sufficient diagnostics for this case, I don't
> believe there is sufficient information in `SslTransportLayer` to treat these
> in a consistent way with SASL authentication failures.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
