Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 2D67D200D0A for ; Wed, 4 Oct 2017 19:46:05 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 2B9D91609DD; Wed, 4 Oct 2017 17:46:05 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 7110A1609D6 for ; Wed, 4 Oct 2017 19:46:04 +0200 (CEST) Received: (qmail 7112 invoked by uid 500); 4 Oct 2017 17:46:03 -0000 Mailing-List: contact dev-help@kafka.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@kafka.apache.org Delivered-To: mailing list dev@kafka.apache.org Received: (qmail 7100 invoked by uid 99); 4 Oct 2017 17:46:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Oct 2017 17:46:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 8A33B1A234C for ; Wed, 4 Oct 2017 17:46:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id efHPld_u3Tii for ; Wed, 4 Oct 2017 17:46:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 816FA5FC99 for ; Wed, 4 Oct 2017 17:46:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 1C098E0F07 for ; Wed, 4 Oct 2017 17:46:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 80F1E242F8 for ; Wed, 4 Oct 2017 17:46:00 +0000 (UTC) Date: Wed, 4 Oct 2017 17:46:00 +0000 (UTC) From: "Rajini Sivaram (JIRA)" To: dev@kafka.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Resolved] (KAFKA-6004) Enable custom authentication plugins to return error messages to clients MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 04 Oct 2017 17:46:05 -0000 [ https://issues.apache.org/jira/browse/KAFKA-6004?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Rajini Sivaram resolved KAFKA-6004. ----------------------------------- Resolution: Fixed Issue resolved by pull request 4015 [https://github.com/apache/kafka/pull/4015] > Enable custom authentication plugins to return error messages to clients > ------------------------------------------------------------------------ > > Key: KAFKA-6004 > URL: https://issues.apache.org/jira/browse/KAFKA-6004 > Project: Kafka > Issue Type: Improvement > Components: security > Reporter: Rajini Sivaram > Assignee: Rajini Sivaram > Priority: Blocker > Fix For: 1.0.0 > > > KIP-152 enables authentication failures to be returned to clients to simplify diagnosis of security configuration issues. At the moment, a fixed message is returned to clients by SaslServerAuthenticator which says "Authentication failed due to invalid credentials with SASL mechanism $mechanism". > We have added an error message string to SaslAuthenticateResponse to return custom messages from the broker to clients. Custom SASL server implementations may want to return more specific error messages in some cases. We should allow this by returning error messages from specific exceptions (e.g. org.apache.kafka.common.errors.SaslAuthenticationException) in SaslAuthenticateResponse. It would be better not to return the error message from SaslException since it may contain information that we do not want to leak to clients. > We should do this for 1.0.0 to avoid compatibility issues later since third party implementors of SASL server may assume that SaslAuthenticationException is only logged on the server and not sent to clients, making it a security risk to update later. -- This message was sent by Atlassian JIRA (v6.4.14#64029)