kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-6004) Enable custom authentication plugins to return error messages to clients
Date Wed, 04 Oct 2017 17:47:00 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-6004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16191694#comment-16191694
] 

ASF GitHub Bot commented on KAFKA-6004:
---------------------------------------

Github user asfgit closed the pull request at:

    https://github.com/apache/kafka/pull/4015


> Enable custom authentication plugins to return error messages to clients
> ------------------------------------------------------------------------
>
>                 Key: KAFKA-6004
>                 URL: https://issues.apache.org/jira/browse/KAFKA-6004
>             Project: Kafka
>          Issue Type: Improvement
>          Components: security
>            Reporter: Rajini Sivaram
>            Assignee: Rajini Sivaram
>            Priority: Blocker
>             Fix For: 1.0.0
>
>
> KIP-152 enables authentication failures to be returned to clients to simplify diagnosis
of security configuration issues. At the moment, a fixed message is returned to clients by
SaslServerAuthenticator which says "Authentication failed due to invalid credentials with
SASL mechanism $mechanism".
> We have added an error message string to SaslAuthenticateResponse to return custom messages
from the broker to clients. Custom SASL server implementations may want to return more specific
error messages in some cases. We should allow this by returning error messages from specific
exceptions (e.g. org.apache.kafka.common.errors.SaslAuthenticationException) in SaslAuthenticateResponse.
It would be better not to return the error message from SaslException since it may contain
information that we do not want to leak to clients.
> We should do this for 1.0.0 to avoid compatibility issues later since third party implementors
of SASL server may assume that SaslAuthenticationException is only logged on the server and
not sent to clients, making it a security risk to update later.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message