[
https://issues.apache.org/jira/browse/KAFKA-4764?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajini Sivaram updated KAFKA-4764:
----------------------------------
Description:
At the moment, broker closes the client connection if SASL authentication
fails. Clients see this as a connection failure and do not get any feedback for
the reason why the connection was closed. Producers and consumers retry,
attempting to create successful connections, treating authentication failures
as transient failures. There are no log entries on the client-side which
indicate that any of these connection failures were due to authentication
failure.
This JIRA will aim to improve diagnosis of authentication failures with the
changes described in
[KIP-152|https://cwiki.apache.org/confluence/display/KAFKA/KIP-152+-+Improve+diagnostics+for+SASL+authentication+failures].
This JIRA also does not change handling of SSL authentication failures.
javax.net.debug provides sufficient diagnostics for this case. SSL changes are
harder to do while preserving backward compatibility.
was:
At the moment, broker closes the client connection if SASL authentication
fails. Clients see this as a connection failure and do not get any feedback for
the reason why the connection was closed. Producers and consumers retry,
attempting to create successful connections, treating authentication failures
as transient failures. There are no log entries on the client-side which
indicate that any of these connection failures were due to authentication
failure.
This JIRA will aim to improve diagnosis of authentication failures with the
changes described in
[KIP-152|https://cwiki.apache.org/confluence/display/KAFKA/KIP-152+-+Improve+diagnostics+for+SASL+authentication+failures].
This JIRA also does not change handling of SSL authentication failures.
javax.net.debug provides sufficient diagnostics for this case, I don't believe
there is sufficient information in `SslTransportLayer` to treat these in a
consistent way with SASL authentication failures.
> Improve diagnostics for SASL authentication failures
> ----------------------------------------------------
>
> Key: KAFKA-4764
> URL: https://issues.apache.org/jira/browse/KAFKA-4764
> Project: Kafka
> Issue Type: Improvement
> Components: security
> Affects Versions: 0.10.2.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Fix For: 1.0.0
>
>
> At the moment, broker closes the client connection if SASL authentication
> fails. Clients see this as a connection failure and do not get any feedback
> for the reason why the connection was closed. Producers and consumers retry,
> attempting to create successful connections, treating authentication failures
> as transient failures. There are no log entries on the client-side which
> indicate that any of these connection failures were due to authentication
> failure.
> This JIRA will aim to improve diagnosis of authentication failures with the
> changes described in
> [KIP-152|https://cwiki.apache.org/confluence/display/KAFKA/KIP-152+-+Improve+diagnostics+for+SASL+authentication+failures].
> This JIRA also does not change handling of SSL authentication failures.
> javax.net.debug provides sufficient diagnostics for this case. SSL changes
> are harder to do while preserving backward compatibility.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
