Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-10798

Failed authentication delay doesn't work with some SASL authentication failures

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.8.0, 2.7.1, 2.6.2
    • Component/s: security
    • Labels:
      None

      Description

      KIP-306 introduced the config `connection.failed.authentication.delay.ms` to delay connection closing on brokers for failed authentication to limit the rate of retried authentications from clients in order to avoid excessive authentication load on brokers from failed clients. We rely on authentication failure response to be delayed in this case to prevent clients from detecting the failure and retrying sooner.

      SaslServerAuthenticator delays response for SaslAuthenticationException, but not for SaslException, even though SaslException is also converted into SaslAuthenticationException and processed as an authentication failure by both server and clients. As a result, connection delay is not applied in many scenarios like SCRAM authentication failures.

        Attachments

          Activity

            People

            • Assignee:
              rsivaram Rajini Sivaram
              Reporter:
              rsivaram Rajini Sivaram
              Reviewer:
              Manikumar

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment