[jira] [Updated] (KAFKA-4874) SASL driven connnections are not dropped when client ticket expires

[Pawel Tomasik (JIRA)]

     [ 
https://issues.apache.org/jira/browse/KAFKA-4874?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pawel Tomasik updated KAFKA-4874:
---------------------------------
    Description: 
The proposal is to improve SASL protocol logic
In current implementation, Broker verifies ticket provided by client only at 
the moment of connection establishment.

Even if account related to the client's principal is revoked and client is not 
able to refresh its ticket, the session is never dropped,
As long-lived connections are typical for Kafka it may be worth adding an 
option to force client credentials challenge

Possible solution is a broker config parameter defining re-login interval
Broker shall periodically force connected clients to provide valid ticket


  was:
The proposal is to improve SASL protocol logic
Broker verifies ticket provided by client only at the moment of connection 
establishment.

Even if account related to the client's principal is revoked and client is not 
able to refresh ticket, the session is never dropped,
As long lived connections are typical for Kafka it may be worth adding an 
option to force client credentials challenge

Possible solution is a broker config parameter defining re-login interval
Broker shall periodically force connected clients to provide valid ticket



> SASL driven connnections are not dropped when client ticket expires
> -------------------------------------------------------------------
>
>                 Key: KAFKA-4874
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4874
>             Project: Kafka
>          Issue Type: Wish
>          Components: security
>    Affects Versions: 0.10.2.0
>            Reporter: Pawel Tomasik
>            Priority: Minor
>
> The proposal is to improve SASL protocol logic
> In current implementation, Broker verifies ticket provided by client only at 
> the moment of connection establishment.
> Even if account related to the client's principal is revoked and client is 
> not able to refresh its ticket, the session is never dropped,
> As long-lived connections are typical for Kafka it may be worth adding an 
> option to force client credentials challenge
> Possible solution is a broker config parameter defining re-login interval
> Broker shall periodically force connected clients to provide valid ticket



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)