kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gwen Shapira (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos
Date Mon, 03 Nov 2014 18:15:34 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14194818#comment-14194818
] 

Gwen Shapira commented on KAFKA-1686:
-------------------------------------

An existing long-lived connection doesn't require renewing, since the ticket is only validated
on the initial handshake.
(Yes, it does make it difficult to "invalidate" clients, but this is pretty normal for most
kerberized services)
If the connection drops or the client needs another connection (perhaps when rebalancing?),
the client needs to renew the ticket and present a new one.


> Implement SASL/Kerberos
> -----------------------
>
>                 Key: KAFKA-1686
>                 URL: https://issues.apache.org/jira/browse/KAFKA-1686
>             Project: Kafka
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 0.9.0
>            Reporter: Jay Kreps
>            Assignee: Sriharsha Chintalapani
>             Fix For: 0.9.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair to the client
protocol. This request and response will each have only a single byte[] field and will be
used to handle the SASL challenge/response cycle. Doing this will initialize the SaslServer
instance and associate it with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap and unwrap
bytes as in KAFKA-1684 so the same interface that covers the SSLEngine will need to also cover
the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message