[ https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14973551#comment-14973551 ]
Jun Rao commented on KAFKA-1686: -------------------------------- [~sriharsha], you mentioned that if the Kerberos tickets can't be renewed, we will get a KafkaException when reading/writing through the SASL port. Could you explain a bit how this is done? To me, the Kerberos authentication only happens once when the socket is established. Once the authentication is done, the client communicates to the broker via a plaintext transport (assuming SASL_PLAINTEXT) and the SASL part is no longer involved. So, after the initial authentication, if the Kerberos tickets can't be renewed, how do we force a KafkaException on the SASL port? Do we need to somehow set the saslState in SaslClientAuthenticator to FAILED if relogin fails? > Implement SASL/Kerberos > ----------------------- > > Key: KAFKA-1686 > URL: https://issues.apache.org/jira/browse/KAFKA-1686 > Project: Kafka > Issue Type: Sub-task > Components: security > Affects Versions: 0.8.2.1 > Reporter: Jay Kreps > Assignee: Sriharsha Chintalapani > Priority: Blocker > Fix For: 0.9.0.0 > > > Implement SASL/Kerberos authentication. > To do this we will need to introduce a new SASLRequest and SASLResponse pair > to the client protocol. This request and response will each have only a > single byte[] field and will be used to handle the SASL challenge/response > cycle. Doing this will initialize the SaslServer instance and associate it > with the session in a manner similar to KAFKA-1684. > When using integrity or encryption mechanisms with SASL we will need to wrap > and unwrap bytes as in KAFKA-1684 so the same interface that covers the > SSLEngine will need to also cover the SaslServer instance. -- This message was sent by Atlassian JIRA (v6.3.4#6332)