[jira] [Updated] (KAFKA-14681) Refreshing Kerberos TGT is not using CallbackHandler (causing failure to refresh)

2023-02-06 Thread Vlad D. (Jira)


 [ 
https://issues.apache.org/jira/browse/KAFKA-14681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vlad D. updated KAFKA-14681:

Description: 
The JAAS + Kerberos authentication in KerberosLogin.java class, when obtaining 
Kerberos TGT, makes use of the client-provided callback handler. This is a 
must-have when the security configuration is not default.

However, the same code, when it is time to renew the Kerberos TGT ticket, 
ignores the provided callback. That works OK for default configuration (JAAS 
configuration, Kerberos config and keytab are available).

But when the security configuration sources are custom, and the default 
Kerberos code is not supporting them, the callback is to be used to obtain the 
configuration properties.

A fix is done to pass the same callback handler in KerberosLogin::reLogin and 
store the callback handler in the super class AbstractLogin, similar to 
contextName and configuration.

The fix is in PR [https://github.com/apache/kafka/pull/13081]

It is tested in our SFT environments and works fine.

  was:
The JAAS + Kerberos authentication in KerberosLogin.java class, when obtaining 
Kerberos TGT, makes use of the client-provided callback handler. This is a 
must-have when the security configuration is not default.

However, the same code, when it is time to renew the Kerberos TGT ticket, 
ignores the provided ticket. That works OK for default configuration (JAAS 
configuration, Kerberos config and keytab are available).

But when the security configuration sources are custom, and the default 
Kerberos code is not supporting them, the callback is to be used to obtain the 
configuration properties.

A fix is done to pass the same callback handler in KerberosLogin::reLogin and 
store the callback handler in the super class AbstractLogin, similar to 
contextName and configuration.

The fix is in PR [https://github.com/apache/kafka/pull/13081]

It is tested in our SFT environments and works fine.


> Refreshing Kerberos TGT is not using CallbackHandler (causing failure to 
> refresh)
> -
>
> Key: KAFKA-14681
> URL: https://issues.apache.org/jira/browse/KAFKA-14681
> Project: Kafka
>  Issue Type: Bug
>  Components: security
>Reporter: Vlad D.
>Priority: Major
>  Labels: kerberos, security
>
> The JAAS + Kerberos authentication in KerberosLogin.java class, when 
> obtaining Kerberos TGT, makes use of the client-provided callback handler. 
> This is a must-have when the security configuration is not default.
> However, the same code, when it is time to renew the Kerberos TGT ticket, 
> ignores the provided callback. That works OK for default configuration (JAAS 
> configuration, Kerberos config and keytab are available).
> But when the security configuration sources are custom, and the default 
> Kerberos code is not supporting them, the callback is to be used to obtain 
> the configuration properties.
> A fix is done to pass the same callback handler in KerberosLogin::reLogin and 
> store the callback handler in the super class AbstractLogin, similar to 
> contextName and configuration.
> The fix is in PR [https://github.com/apache/kafka/pull/13081]
> It is tested in our SFT environments and works fine.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)


[jira] [Updated] (KAFKA-14681) Refreshing Kerberos TGT is not using CallbackHandler (causing failure to refresh)

2023-02-06 Thread Vlad D. (Jira)


 [ 
https://issues.apache.org/jira/browse/KAFKA-14681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vlad D. updated KAFKA-14681:

Description: 
The JAAS + Kerberos authentication in KerberosLogin.java class, when obtaining 
Kerberos TGT, makes use of the client-provided callback handler. This is a 
must-have when the security configuration is not default.

However, the same code, when it is time to renew the Kerberos TGT ticket, 
ignores the provided callback. That works OK for default configuration (JAAS 
configuration, Kerberos config and keytab are available).

But when the security configuration sources are custom, and the default 
Kerberos code is not supporting them, the callback is to be used even for TGT 
refresh to obtain the configuration properties.

A fix is done to pass the same callback handler in KerberosLogin::reLogin and 
store the callback handler in the super class AbstractLogin, similar to 
contextName and configuration.

The fix is in PR [https://github.com/apache/kafka/pull/13081]

It is tested in our SFT environments and works fine.

  was:
The JAAS + Kerberos authentication in KerberosLogin.java class, when obtaining 
Kerberos TGT, makes use of the client-provided callback handler. This is a 
must-have when the security configuration is not default.

However, the same code, when it is time to renew the Kerberos TGT ticket, 
ignores the provided callback. That works OK for default configuration (JAAS 
configuration, Kerberos config and keytab are available).

But when the security configuration sources are custom, and the default 
Kerberos code is not supporting them, the callback is to be used to obtain the 
configuration properties.

A fix is done to pass the same callback handler in KerberosLogin::reLogin and 
store the callback handler in the super class AbstractLogin, similar to 
contextName and configuration.

The fix is in PR [https://github.com/apache/kafka/pull/13081]

It is tested in our SFT environments and works fine.


> Refreshing Kerberos TGT is not using CallbackHandler (causing failure to 
> refresh)
> -
>
> Key: KAFKA-14681
> URL: https://issues.apache.org/jira/browse/KAFKA-14681
> Project: Kafka
>  Issue Type: Bug
>  Components: security
>Reporter: Vlad D.
>Priority: Major
>  Labels: kerberos, security
>
> The JAAS + Kerberos authentication in KerberosLogin.java class, when 
> obtaining Kerberos TGT, makes use of the client-provided callback handler. 
> This is a must-have when the security configuration is not default.
> However, the same code, when it is time to renew the Kerberos TGT ticket, 
> ignores the provided callback. That works OK for default configuration (JAAS 
> configuration, Kerberos config and keytab are available).
> But when the security configuration sources are custom, and the default 
> Kerberos code is not supporting them, the callback is to be used even for TGT 
> refresh to obtain the configuration properties.
> A fix is done to pass the same callback handler in KerberosLogin::reLogin and 
> store the callback handler in the super class AbstractLogin, similar to 
> contextName and configuration.
> The fix is in PR [https://github.com/apache/kafka/pull/13081]
> It is tested in our SFT environments and works fine.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)


[jira] [Updated] (KAFKA-14681) Refreshing Kerberos TGT is not using CallbackHandler (causing failure to refresh)

2023-02-06 Thread Vlad D. (Jira)


 [ 
https://issues.apache.org/jira/browse/KAFKA-14681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vlad D. updated KAFKA-14681:

Description: 
The JAAS + Kerberos authentication in KerberosLogin.java class, when obtaining 
Kerberos TGT, makes use of the client-provided callback handler. This is a 
must-have when the security configuration is not default.

However, the same code, when it is time to renew the Kerberos TGT ticket, 
ignores the provided ticket. That works OK for default configuration (JAAS 
configuration, Kerberos config and keytab are available).

But when the security configuration sources are custom, and the default 
Kerberos code is not supporting them, the callback is to be used to obtain the 
configuration properties.

A fix is done to pass the same callback handler in KerberosLogin::reLogin and 
store the callback handler in the super class AbstractLogin, similar to 
contextName and configuration.

The fix is in PR [https://github.com/apache/kafka/pull/13081]

It is tested in our SFT environments and works fine.

  was:
The SASL + Kerberos authentication in KerberosLogin.java class, when obtaining 
Kerberos TGT, makes use of the client-provided callback handler. This is a 
must-have when the security configuration is not default.

However, the same code, when it is time to renew the Kerberos TGT ticket, 
ignores the provided ticket. That works OK for default configuration (JAAS 
configuration, Kerberos config and keytab are available).

But when the security configuration sources are custom, and the default 
Kerberos code is not supporting them, the callback is to be used to obtain the 
configuration properties.

A fix is done to pass the same callback handler in KerberosLogin::reLogin and 
store the callback handler in the super class AbstractLogin, similar to 
contextName and configuration.

The fix is in PR [https://github.com/apache/kafka/pull/13081]

It is tested in our SFT environments and works fine.


> Refreshing Kerberos TGT is not using CallbackHandler (causing failure to 
> refresh)
> -
>
> Key: KAFKA-14681
> URL: https://issues.apache.org/jira/browse/KAFKA-14681
> Project: Kafka
>  Issue Type: Bug
>  Components: security
>Reporter: Vlad D.
>Priority: Major
>  Labels: kerberos, security
>
> The JAAS + Kerberos authentication in KerberosLogin.java class, when 
> obtaining Kerberos TGT, makes use of the client-provided callback handler. 
> This is a must-have when the security configuration is not default.
> However, the same code, when it is time to renew the Kerberos TGT ticket, 
> ignores the provided ticket. That works OK for default configuration (JAAS 
> configuration, Kerberos config and keytab are available).
> But when the security configuration sources are custom, and the default 
> Kerberos code is not supporting them, the callback is to be used to obtain 
> the configuration properties.
> A fix is done to pass the same callback handler in KerberosLogin::reLogin and 
> store the callback handler in the super class AbstractLogin, similar to 
> contextName and configuration.
> The fix is in PR [https://github.com/apache/kafka/pull/13081]
> It is tested in our SFT environments and works fine.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)