[ https://issues.apache.org/jira/browse/KAFKA-4764?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16135869#comment-16135869 ]
ASF GitHub Bot commented on KAFKA-4764: --------------------------------------- GitHub user rajinisivaram opened a pull request: https://github.com/apache/kafka/pull/3708 [WIP] KAFKA-4764: Wrap SASL tokens in Kafka headers to improve diagnostics SASL handshake protocol changes from KIP-152. You can merge this pull request into a Git repository by running: $ git pull https://github.com/rajinisivaram/kafka KAFKA-4764-SASL-diagnostics Alternatively you can review and apply these changes as the patch at: https://github.com/apache/kafka/pull/3708.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #3708 ---- commit 61d5c38a120bc9fa4b6b8cbedb6c3f007ece0490 Author: Rajini Sivaram <rajinisiva...@googlemail.com> Date: 2017-08-21T18:59:43Z KAFKA-4764: Wrap SASL tokens in Kafka headers to improve diagnostics ---- > Improve diagnostics for SASL authentication failures > ---------------------------------------------------- > > Key: KAFKA-4764 > URL: https://issues.apache.org/jira/browse/KAFKA-4764 > Project: Kafka > Issue Type: Improvement > Components: security > Affects Versions: 0.10.2.0 > Reporter: Rajini Sivaram > Assignee: Rajini Sivaram > Fix For: 1.0.0 > > > At the moment, broker closes the client connection if SASL authentication > fails. Clients see this as a connection failure and do not get any feedback > for the reason why the connection was closed. Producers and consumers retry, > attempting to create successful connections, treating authentication failures > as transient failures. There are no log entries on the client-side which > indicate that any of these connection failures were due to authentication > failure. > This JIRA will aim to improve diagnosis of authentication failures with the > following changes: > - Broker will send an authentication error code if SASL authentication fails, > just before closing the connection. This will be treated as an invalid token > by the client authenticator, and the error handling for invalid tokens will > be updated to report authentication failure for this case. This is a bit of a > hack, but would work with GSSAPI, PLAIN and SCRAM. SASL itself doesn't > provide a mechanism-independent way of reporting authentication failures. An > alternative would be to wrap SASL authentication in Kafka request/response to > enables error codes to be sent as Kafka response, but that would be a much > bigger change. > - Log a warning in clients for authentication failures, distinguishing these > from EOF exceptions due to connection failure > - Blackout nodes to which connection failed due to authentication error, no > more attempts will be made to connect to these nodes. > - We should use the connection state to improve handling of producer/consumer > requests, avoiding unnecessary blocking. This will not be addressed in this > JIRA, KAFKA-3899 should be able to use the additional state from JIRA to fix > this issue. > This JIRA also does not change handling of SSL authentication failures. > javax.net.debug provides sufficient diagnostics for this case, I don't > believe there is sufficient information in `SslTransportLayer` to treat these > in a consistent way with SASL authentication failures. -- This message was sent by Atlassian JIRA (v6.4.14#64029)