Re: [Possible bug] Failing to use multiple client for multiple cluster using SASL channel.

Tue, 07 Feb 2023 22:46:07 -0800 

Hi Sourav,

To create a JIRA account, in addition to email address, we also need your
preferred username, display name.

Thank you.
Luke

On Wed, Feb 8, 2023 at 2:01 PM Sourav Biswas
<sourav_biswa...@yahoo.com.invalid> wrote:

> May I get a jira account
> Email id: sourav_biswa...@yahoo.com
>
>
>
>
>     On Sunday, 5 February, 2023 at 01:58:33 am IST, Sourav Biswas <
> sourav_biswa...@yahoo.com> wrote:
>
>  Hello Kafka Dev,
> Issue:Say, I need to configure multiple client (consumer/producer)
> listening and publishing to different cluster inside same application (Same
> JVM). Both cluster uses
> - sasl.mechanism = GSSAPI- security.porotocol = SASL_PLAINTEXT
>
> But, different 'sasl.kerberos.service.name'.
>
> Now, considering above configuration, client will create a KafkaChannel
> using SaslChannelBuilder, which uses a LoginManager.
> https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L170
> For this case, it should create multiple LoginManager for each cluster but
> it is creating only one. Because of this Authentication is failing for all
> cluster except one.
>
> Reason:
> A static Map of login managers is maintained, with key of LoginMetadata
>        STATIC_INSTANCES.put(loginMetadata, loginManager);
>
> -
> https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L109
>
> -
> https://github.com/apache/kafka/blob/4a7fedd46a7fc1eff5411a0f4329781c9474f8e8/clients/src/main/java/org/apache/kafka/common/security/authenticator/LoginManager.java#L113
>
> LoginMetadata only considers following fields to maintains its uniqueness.
>         final T configInfo; // "KafkaClient"; Same for all cluster
>         final Class<? extends Login> loginClass; // Same for all clusester
>         final Class<? extends AuthenticateCallbackHandler>
> loginCallbackClass; // Same for all cluster
>
>
> Possible fix:Need to consider more fields (
> sasl.kerberos.service.name/client.id/somethin-else) to maintain more
> granular uniqueness.
>
> Note:If you feel it's a bug, then I can raise a PR if I get a jira. Please
> share your thoughts.
> ~ Sourav
>
>
>

Reply via email to