Chris Egerton created KAFKA-10895:
-------------------------------------
Summary: Basic auth extension's JAAS config can be corrupted by
other plugins
Key: KAFKA-10895
URL: https://issues.apache.org/jira/browse/KAFKA-10895
Project: Kafka
Issue Type: Bug
Components: KafkaConnect
Affects Versions: 2.7.0, 2.5.1, 2.6.0, 2.4.1, 2.5.0, 2.3.1, 2.4.0, 2.2.2,
2.2.1, 2.3.0, 2.1.1, 2.2.0, 2.1.0, 2.0.1, 2.0.0
Reporter: Chris Egerton
The Connect
[BasicAuthSecurityRestExtension|https://github.com/apache/kafka/blob/trunk/connect/basic-auth-extension/src/main/java/org/apache/kafka/connect/rest/basic/auth/extension/BasicAuthSecurityRestExtension.java]'s
doc states that "An entry with the name {{KafkaConnect}} is expected in the
JAAS config file configured in the JVM."
This is technically accurate, as the
[JaasBasicAuthFilter|https://github.com/apache/kafka/blob/afa5423356d3d2a2135a51200573b45d097f6d60/connect/basic-auth-extension/src/main/java/org/apache/kafka/connect/rest/basic/auth/extension/JaasBasicAuthFilter.java#L61-L63]
that the extension installs creates a {{LoginContext}} using a
[constructor|https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/LoginContext.html#LoginContext-java.lang.String-javax.security.auth.callback.CallbackHandler-]
that does not include a
[Configuration|https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html]
to be passed in, which causes
[Configuration::getConfiguration|https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html#getConfiguration--]
to be used under the hood by the {{LoginContext}} to fetch the JAAS
configuration to use for authentication.
Unfortunately, other plugins (connectors, converters, even other REST
extensions, etc.) may invoke
[Configuration::setConfiguration|https://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html#setConfiguration-javax.security.auth.login.Configuration-]
and install a completely different JAAS configuration onto the JVM. If the
user starts their JVM with a JAAS config set via the
{{-Djava.security.auth.login.config}} property, that JAAS config can then be
completely overwritten, and if the basic auth extension depends on the JAAS
config that's installed at startup (as opposed to at runtime by a plugin), it
will break.
It's debatable whether this can or should be addressed with a code fix. One
possibility is to cache the current JVM's configuration as soon as the basic
auth extension is loaded by invoking {{Configuration::getConfiguration}} and
saving the resulting configuration for future {{LoginContext}} instantiations.
However, it may be possible that users actually rely on runtime plugins being
able to install custom configurations at runtime for their basic auth
extension, in which case this change would actually be harmful.
Regardless, it's worth noting this odd behavior here in the hopes that it can
save some time for others who encounter the same issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
