Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-13848

Clients remain connected after SASL re-authentication fails

    XMLWordPrintableJSON

Details

    Description

      Clients remain connected and able to produce or consume despite an expired OAUTHBEARER token.

      The problem can be reproduced using the https://github.com/acsaki/kafka-sasl-reauth project by starting the embedded OAuth2 server and Kafka, then running the long running consumer in OAuthBearerTest and then killing the OAuth2 server thus making the client unable to re-authenticate.

      Root cause seems to be SaslServerAuthenticator#calcCompletionTimesAndReturnSessionLifetimeMs failing to set ReauthInfo#sessionExpirationTimeNanos when tokens have already expired (when session life time goes negative), in turn causing KafkaChannel#serverAuthenticationSessionExpired returning false and finally SocketServer not closing the channel.

      The issue is observed with OAUTHBEARER but seems to have a wider impact on SASL re-authentication.

      Attachments

        Activity

          People

            acsaki Andras Csaki
            acsaki Andras Csaki
            Luke Chen Luke Chen
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: