Andras Csaki created KAFKA-13848:
------------------------------------
Summary: Clients remaing connected after SASL re-authentication
fails
Key: KAFKA-13848
URL: https://issues.apache.org/jira/browse/KAFKA-13848
Project: Kafka
Issue Type: Bug
Components: clients
Affects Versions: 3.1.0
Environment: https://github.com/acsaki/kafka-sasl-reauth
Reporter: Andras Csaki
Clients remain connected and able to produce or consume despite an expired
OAUTHBEARER token.
The problem can be reproduced using the
https://github.com/acsaki/kafka-sasl-reauth project by starting the embedded
OAuth2 server and Kafka, then running the long running consumer in
OAuthBearerTest and then killing the OAuth2 server thus making the client
unable to re-authenticate.
Root cause seems to be
SaslServerAuthenticator#calcCompletionTimesAndReturnSessionLifetimeMs failing
to set ReauthInfo#sessionExpirationTimeNanos when tokens have already expired
(when session life time goes negative), in turn causing
KafkaChannel#serverAuthenticationSessionExpired returning false and finally
SocketServer not closing the channel.
The issue is observed with OAUTHBEARER but seems to have a wider impact on SASL
re-authentication.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
