[ https://issues.apache.org/jira/browse/KAFKA-6004?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rajini Sivaram resolved KAFKA-6004. ----------------------------------- Resolution: Fixed Issue resolved by pull request 4015 [https://github.com/apache/kafka/pull/4015] > Enable custom authentication plugins to return error messages to clients > ------------------------------------------------------------------------ > > Key: KAFKA-6004 > URL: https://issues.apache.org/jira/browse/KAFKA-6004 > Project: Kafka > Issue Type: Improvement > Components: security > Reporter: Rajini Sivaram > Assignee: Rajini Sivaram > Priority: Blocker > Fix For: 1.0.0 > > > KIP-152 enables authentication failures to be returned to clients to simplify > diagnosis of security configuration issues. At the moment, a fixed message is > returned to clients by SaslServerAuthenticator which says "Authentication > failed due to invalid credentials with SASL mechanism $mechanism". > We have added an error message string to SaslAuthenticateResponse to return > custom messages from the broker to clients. Custom SASL server > implementations may want to return more specific error messages in some > cases. We should allow this by returning error messages from specific > exceptions (e.g. org.apache.kafka.common.errors.SaslAuthenticationException) > in SaslAuthenticateResponse. It would be better not to return the error > message from SaslException since it may contain information that we do not > want to leak to clients. > We should do this for 1.0.0 to avoid compatibility issues later since third > party implementors of SASL server may assume that SaslAuthenticationException > is only logged on the server and not sent to clients, making it a security > risk to update later. -- This message was sent by Atlassian JIRA (v6.4.14#64029)