[GitHub] [kafka] kirktrue commented on a change in pull request #11284: KAFKA-13202: KIP-768: Extend SASL/OAUTHBEARER with Support for OIDC

GitBox Wed, 27 Oct 2021 11:51:28 -0700


kirktrue commented on a change in pull request #11284:
URL: https://github.com/apache/kafka/pull/11284#discussion_r737754724




##########
File path: clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java
##########
@@ -75,30 +78,116 @@
     public static final String SASL_LOGIN_REFRESH_WINDOW_FACTOR_DOC = "Login 
refresh thread will sleep until the specified window factor relative to the"
             + " credential's lifetime has been reached, at which time it will 
try to refresh the credential."
             + " Legal values are between 0.5 (50%) and 1.0 (100%) inclusive; a 
default value of 0.8 (80%) is used"
-            + " if no value is specified. Currently applies only to 
OAUTHBEARER.";
+            + " if no value is specified."
+            + OAUTHBEARER_NOTE;
     public static final double DEFAULT_LOGIN_REFRESH_WINDOW_FACTOR = 0.80;
 
     public static final String SASL_LOGIN_REFRESH_WINDOW_JITTER = 
"sasl.login.refresh.window.jitter";
     public static final String SASL_LOGIN_REFRESH_WINDOW_JITTER_DOC = "The 
maximum amount of random jitter relative to the credential's lifetime"
             + " that is added to the login refresh thread's sleep time. Legal 
values are between 0 and 0.25 (25%) inclusive;"
-            + " a default value of 0.05 (5%) is used if no value is specified. 
Currently applies only to OAUTHBEARER.";
+            + " a default value of 0.05 (5%) is used if no value is specified."
+            + OAUTHBEARER_NOTE;
     public static final double DEFAULT_LOGIN_REFRESH_WINDOW_JITTER = 0.05;
 
     public static final String SASL_LOGIN_REFRESH_MIN_PERIOD_SECONDS = 
"sasl.login.refresh.min.period.seconds";
     public static final String SASL_LOGIN_REFRESH_MIN_PERIOD_SECONDS_DOC = 
"The desired minimum time for the login refresh thread to wait before 
refreshing a credential,"
             + " in seconds. Legal values are between 0 and 900 (15 minutes); a 
default value of 60 (1 minute) is used if no value is specified.  This value 
and "
             + " sasl.login.refresh.buffer.seconds are both ignored if their 
sum exceeds the remaining lifetime of a credential."
-            + " Currently applies only to OAUTHBEARER.";
+            + OAUTHBEARER_NOTE;
     public static final short DEFAULT_LOGIN_REFRESH_MIN_PERIOD_SECONDS = 60;
 
     public static final String SASL_LOGIN_REFRESH_BUFFER_SECONDS = 
"sasl.login.refresh.buffer.seconds";
     public static final String SASL_LOGIN_REFRESH_BUFFER_SECONDS_DOC = "The 
amount of buffer time before credential expiration to maintain when refreshing 
a credential,"
             + " in seconds. If a refresh would otherwise occur closer to 
expiration than the number of buffer seconds then the refresh will be moved up 
to maintain"
             + " as much of the buffer time as possible. Legal values are 
between 0 and 3600 (1 hour); a default value of  300 (5 minutes) is used if no 
value is specified."
             + " This value and sasl.login.refresh.min.period.seconds are both 
ignored if their sum exceeds the remaining lifetime of a credential."
-            + " Currently applies only to OAUTHBEARER.";
+            + OAUTHBEARER_NOTE;
     public static final short DEFAULT_LOGIN_REFRESH_BUFFER_SECONDS = 300;
 
+    public static final String SASL_LOGIN_CONNECT_TIMEOUT_MS = 
"sasl.login.connect.timeout.ms";
+    public static final String SASL_LOGIN_CONNECT_TIMEOUT_MS_DOC = "The 
(optional) value in milliseconds for the external authentication provider 
connection timeout."
+            + OAUTHBEARER_NOTE;
+
+    public static final String SASL_LOGIN_READ_TIMEOUT_MS = 
"sasl.login.read.timeout.ms";
+    public static final String SASL_LOGIN_READ_TIMEOUT_MS_DOC = "The 
(optional) value in milliseconds for the external authentication provider read 
timeout."
+            + OAUTHBEARER_NOTE;
+
+    private static final String EXPONENTIAL_BACKOFF_NOTE = " Login uses an 
exponential backoff algorithm with an initial wait based on the"
+            + " sasl.login.retry.backoff.ms setting and will double in wait 
length between attempts up to a maximum wait length specified by the"
+            + " sasl.login.retry.backoff.max.ms setting."
+            + OAUTHBEARER_NOTE;
+
+    public static final String SASL_LOGIN_RETRY_BACKOFF_MAX_MS = 
"sasl.login.retry.backoff.max.ms";
+    public static final long DEFAULT_SASL_LOGIN_RETRY_BACKOFF_MAX_MS = 10000;
+    public static final String SASL_LOGIN_RETRY_BACKOFF_MAX_MS_DOC = "The 
(optional) value in milliseconds for the maximum wait between login attempts to 
the"
+            + " external authentication provider."
+            + EXPONENTIAL_BACKOFF_NOTE;

Review comment:
       Renamed `EXPONENTIAL_BACKOFF_NOTE` to `LOGIN_EXPONENTIAL_BACKOFF_NOTE` 
with the existing message.
   
   Added `JWKS_EXPONENTIAL_BACKOFF_NOTE` which reads:
   
   ```
   JWKS retrieval uses an exponential backoff algorithm with an initial wait 
based on
   the sasl.oauthbearer.jwks.endpoint.retry.backoff.ms setting and will double 
in wait
   length between attempts up to a maximum wait length specified by the
   sasl.oauthbearer.jwks.endpoint.retry.backoff.max.ms setting.
   ```
   
   Updated `SASL_OAUTHBEARER_JWKS_ENDPOINT_RETRY_BACKOFF_MS` and 
`SASL_OAUTHBEARER_JWKS_ENDPOINT_RETRY_BACKOFF_MAX_MS` to reference 
`JWKS_EXPONENTIAL_BACKOFF_NOTE`.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [kafka] kirktrue commented on a change in pull request #11284: KAFKA-13202: KIP-768: Extend SASL/OAUTHBEARER with Support for OIDC

Reply via email to