[ https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14973566#comment-14973566 ]
Sriharsha Chintalapani commented on KAFKA-1686: ----------------------------------------------- [~junrao] once the connection is established we don't do SASL auth again. Its for the new connections i.e if the kerberos ticket is not renewed we won't be able to establish a new connection . We don't invalidate the already established sasl connection. I don't see a reason to do this. If for any reason someone wants to un-authorize a session thats already established they can do so via Authorizer and remove the permissions. Can you give me the details of the use case you are looking at. > Implement SASL/Kerberos > ----------------------- > > Key: KAFKA-1686 > URL: https://issues.apache.org/jira/browse/KAFKA-1686 > Project: Kafka > Issue Type: Sub-task > Components: security > Affects Versions: 0.8.2.1 > Reporter: Jay Kreps > Assignee: Sriharsha Chintalapani > Priority: Blocker > Fix For: 0.9.0.0 > > > Implement SASL/Kerberos authentication. > To do this we will need to introduce a new SASLRequest and SASLResponse pair > to the client protocol. This request and response will each have only a > single byte[] field and will be used to handle the SASL challenge/response > cycle. Doing this will initialize the SaslServer instance and associate it > with the session in a manner similar to KAFKA-1684. > When using integrity or encryption mechanisms with SASL we will need to wrap > and unwrap bytes as in KAFKA-1684 so the same interface that covers the > SSLEngine will need to also cover the SaslServer instance. -- This message was sent by Atlassian JIRA (v6.3.4#6332)