[ https://issues.apache.org/jira/browse/KAFKA-4544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16605944#comment-16605944 ]
Attila Sasvari commented on KAFKA-4544: --------------------------------------- [~omkreddy] thanks for the info, I extended the test case to better cover the lifecycle of a delegation token based on your idea: - Create delegation token - Create a console-producer using SCRAM and delegation token and produce a message - Verify message is created (with kafka.search_data_files() ) - Create a console-consumer using SCRAM and delegation token and consume 1 message - Expire the token, immediately - Try producing one more message with the expired token - Verify the last message is not persisted by the broker Initially, I wanted to use console_consumer.py and verifiable clients to validate things (messages produced / consumed), but I ran into some issues: - jaas.conf / KafkaClient config cannot include more login modules {code} Multiple LoginModule-s in JAAS Caused by: java.lang.IllegalArgumentException: JAAS config property contains 2 login modules, should be 1 module at org.apache.kafka.common.security.JaasContext.load(JaasContext.java:95) at org.apache.kafka.common.security.JaasContext.loadClientContext(JaasContext.java:84) at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:119) at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:65) at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:88) at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:419) {code} - To request a delegation token, we need GSSAPI (and use keytab), subsequently, consumers and producers use the delegation token. So I ended up constructing manually the jaas.config and client configs in my POC. - With and even without my changes, JMX failed to start up when I tried to run {{./ducker-ak test ../kafkatest/sanity_checks/test_console_consumer.py}}: {code} Exception in thread ConsoleConsumer-0-140287252789520-worker-1: Traceback (most recent call last): File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner self.run() File "/usr/lib/python2.7/threading.py", line 754, in run self.__target(*self.__args, **self.__kwargs) File "/usr/local/lib/python2.7/dist-packages/ducktape/services/background_thread.py", line 35, in _protected_worker self._worker(idx, node) File "/opt/kafka-dev/tests/kafkatest/services/console_consumer.py", line 229, in _worker self.start_jmx_tool(idx, node) File "/opt/kafka-dev/tests/kafkatest/services/monitor/jmx.py", line 86, in start_jmx_tool wait_until(lambda: self._jmx_has_output(node), timeout_sec=10, backoff_sec=.5, err_msg="%s: Jmx tool took too long to start" % node.account) File "/usr/local/lib/python2.7/dist-packages/ducktape/utils/util.py", line 36, in wait_until raise TimeoutError(err_msg) TimeoutError: ducker@ducker04: Jmx tool took too long to start {code} Right now a lot of things are [hardcoded|https://github.com/asasvari/kafka/commit/edfc37012079764d2a589dbf5f24ad04505975d4#diff-3e7b2bdbd55d075bcebbbe5ba8c4e269] (using shell scripts) in my POC. It would be nice to extract common functionalities and make them easily reusable (e.g. creating wrappers in python, for example, to do delegation token handling). > Add system tests for delegation token based authentication > ---------------------------------------------------------- > > Key: KAFKA-4544 > URL: https://issues.apache.org/jira/browse/KAFKA-4544 > Project: Kafka > Issue Type: Sub-task > Components: security > Reporter: Ashish Singh > Assignee: Attila Sasvari > Priority: Major > > Add system tests for delegation token based authentication. -- This message was sent by Atlassian JIRA (v7.6.3#76005)