kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ron Dagostino <rndg...@gmail.com>
Subject Re: [DISCUSS] KIP-342 Add Customizable SASL extensions to OAuthBearer authentication
Date Wed, 18 Jul 2018 16:49:52 GMT
Hi Stanislav.  Could you add something to the KIP about the security
implications related to the CSV name/value pairs sent in the extension?
For example, the OAuth access token may have a digital signature, but the
extensions generally will not (unless one of the values is a JWS compact
serialization, but I doubt anyone would go that far), so the server
generally cannot trust the extensions to be accurate for anything
critical.  You mentioned the "better tracing and troubleshooting" use case,
which I think is fine despite the lack of security; given that lack of
security, though, I believe it is important to also state what the
extensions should *not* be used for.

Also, could you indicate in the KIP how the extensions might actually be
added?  My take on that would be to extend OAuthBearerLoginModule to
override the initialize() and commit() methods so that the derived class
would have access to the Subject instance and could add a map to the
subject's public or private credentials when the commit succeeds; then I
think the sasl.client.callback.handler.class would have to be explicitly
set to a class that extends the default implementation
(OAuthBearerSaslClientCallbackHandler) and retrieves the map when handling
the SaslExtensionsCallback.  But maybe you are thinking about it
differently?  Some guidance on how to actually take advantage of the
feature via an implementation would be a useful addition to the KIP.

Finally, I note that the extension parsing does not support a comma in keys
or values.  This should be addressed somehow -- either by supporting via an
escaping mechanism or by explicitly acknowledging that it is unsupported.

Thanks for the KIP and the simultaneous PR -- having both at the same time
really helped.

Ron

On Tue, Jul 17, 2018 at 6:22 PM Stanislav Kozlovski <stanislav@confluent.io>
wrote:

> Hey group,
>
> I just created a new KIP about adding customizable SASL extensions to the
> OAuthBearer authentication mechanism. More details in the proposal
>
> KIP:
>
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-342%3A+Add+support+for+Custom+SASL+extensions+in+OAuthBearer+authentication
> JIRA: KAFKA-7169 <https://issues.apache.org/jira/browse/KAFKA-7169>
> PR: Pull request <https://github.com/apache/kafka/pull/5379>
>
> --
> Best,
> Stanislav
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message