Thank you Harsha! On Sun, Feb 26, 2017 at 10:27 AM, Harsha Chintalapani <ka...@harsha.io> wrote:
> Hi Christian, > Kafka client connections are long-llving connections, > hence the authentication part comes up during connection establishment and > once we authenticate regular kafka protocols can be exchanged. > Doing heartbeat to keep the token alive in a Authorizer is not a good idea. > Authorizer' role is to tell if user A has permission on topic X etc.. not > to invalidate a user's session. Hence it won't propagate a exception into > LoginModule. What you trying to do seems similar to DelegationToken . Have > you checked this KIP > https://cwiki.apache.org/confluence/display/KAFKA/KIP- > 48+Delegation+token+support+for+Kafka > . > > Thanks, > Harsha > > On Sat, Feb 25, 2017 at 6:48 PM Christian <engr...@gmail.com> wrote: > > > We have implemented our own LoginModule and Authorizer. The LoginModule > > does an authentication on the client side, obtains a token and passes > that > > token down to our custom SaslServer which then verifies that this token > is > > valid. Our Authorizer gets that token and asks another custom service if > > the necessary topic permissions are there. This is a very simplified > > description, but it should suffice for my question. > > > > I've found that the LoginModule only authenticates once and passes that > > token down once as well. Our service requires a heartbeat to keep the > token > > alive. I would like the SaslService to call our authentication service > > every once in.a while and if the token ever times out (it times out after > > 24 hours; even with heartbeats, but heartbeats every so many minutes can > > extend the session to 24 hours), then I'd like it to respond back to the > > LoginModule with some sort of failed to authorize message or code. > > > > Once this gets passed to the Authorizer, we can extend the session by > > querying our internal Authentication/Authorization service. I was hoping, > > as.a fallback plan that the Authorizer could do this, by simply throwing > an > > exception or failing the request when the authorization finally returns > > false (due to session timeout), but I don't see anywhere in the > > documentation where a certain kind of failure in the authorizer can > bubble > > up to the authenticator and I don't see how I can configure the > loginmodule > > to periodically redo authentication. Can anyone out there help me? Is the > > Kafka SASL implementation not meant for such a complicated scenario or > am I > > just thinking about it all wrong? > > > > Thanks, > > Christian > > >
