Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-10615

Plain authentication failure log detail

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.4.1
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      When using the PlainLoginModule and a client application is providing a wrong password, you get endless error logs telling:

      [2020-10-15 07:00:05,263] INFO [SocketServer brokerId=4] Failed authentication with myhost.mycompany.fr/192.168.35.194 (Authentication failed: Invalid username or password) (org.apache.kafka.common.network.Selector)
      [2020-10-15 07:00:06,400] INFO [SocketServer brokerId=4] Failed authentication with myhost.mycompany.fr/192.168.35.194 (Authentication failed: Invalid username or password) (org.apache.kafka.common.network.Selector)

       

      When this client is running in Kubernetes the hostname and IP have no meaning because they represent the Kubernetes host. So it's very hard for us to find the misconfigured application.

      I'd like to have the username in the error message so as to make it easier to find the source of the error.

      From a security a point view it may be interesting to know that a given user is used to brute force a password or may have been pawned.

      I seems easy to do it in https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/plain/internals/PlainSaslServer.java#L107

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                gquintana Gérald Quintana
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: