[KAFKA-13848] Clients remain connected after SASL re-authentication fails - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.1.0
Fix Version/s: 3.3.0
Component/s: clients
Labels:
Environment:
https://github.com/acsaki/kafka-sasl-reauth

Description

Clients remain connected and able to produce or consume despite an expired OAUTHBEARER token.

The problem can be reproduced using the https://github.com/acsaki/kafka-sasl-reauth project by starting the embedded OAuth2 server and Kafka, then running the long running consumer in OAuthBearerTest and then killing the OAuth2 server thus making the client unable to re-authenticate.

Root cause seems to be SaslServerAuthenticator#calcCompletionTimesAndReturnSessionLifetimeMs failing to set ReauthInfo#sessionExpirationTimeNanos when tokens have already expired (when session life time goes negative), in turn causing KafkaChannel#serverAuthenticationSessionExpired returning false and finally SocketServer not closing the channel.

The issue is observed with OAUTHBEARER but seems to have a wider impact on SASL re-authentication.

Attachments

Issue Links

links to

GitHub Pull Request #12179

Reproduction env

Activity

People

Assignee:: Andras Csaki

Reporter:: Andras Csaki

Reviewer:: Luke Chen

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 22/Apr/22 07:30

Updated:: 04/Aug/22 07:53

Resolved:: 10/Jun/22 14:26