kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rajini Sivaram <rajinisiva...@googlemail.com>
Subject Re: SASL session expiry
Date Mon, 05 Sep 2016 12:01:11 GMT
Mickael,

I imagine it is fairly easy in MessageHub to deal with expired SASL/PLAIN
credentials since checks can be added to the interceptor in the broker.

Ismael,

Is it really feasible in general to deal with expired credentials in
Authorizers? It sort of expects tight coupling between authenticator and
authorizer, Not sure how an authorizer would deal with certificate expiry
or certificate revocation when using SSL client auth for instance.


On Mon, Sep 5, 2016 at 11:20 AM, Ismael Juma <ismael@juma.me.uk> wrote:

> Hi Mickael,
>
> The Kerberos ticket refresh mechanism is there for new connections, not
> existing connections. Currently, the suggested approach is to rely on the
> authorizer to deal with expired credentials. Would this work for you?
>
> Ismael
>
> On Mon, Sep 5, 2016 at 11:13 AM, Mickael Maison <mickael.maison@gmail.com>
> wrote:
>
> > Hi,
> >
> > While Kerberos has a mechanism to refresh its tickets, SASL PLAIN has
> > no such feature. This means if a client is connected, as far as I can
> > tell, we have currently no way of disconnecting him, revoking his
> > credentials won't help.
> >
> > I think it would be useful to have a way to force clients to refresh
> > their SASL session periodically and disconnect them if their
> > credentials have expired.
> >
> >
> > What do you think ?
> >
>



-- 
Regards,

Rajini

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message