Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-6004

Enable custom authentication plugins to return error messages to clients

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.0.0
    • Component/s: security
    • Labels:
      None

      Description

      KIP-152 enables authentication failures to be returned to clients to simplify diagnosis of security configuration issues. At the moment, a fixed message is returned to clients by SaslServerAuthenticator which says "Authentication failed due to invalid credentials with SASL mechanism $mechanism".

      We have added an error message string to SaslAuthenticateResponse to return custom messages from the broker to clients. Custom SASL server implementations may want to return more specific error messages in some cases. We should allow this by returning error messages from specific exceptions (e.g. org.apache.kafka.common.errors.SaslAuthenticationException) in SaslAuthenticateResponse. It would be better not to return the error message from SaslException since it may contain information that we do not want to leak to clients.

      We should do this for 1.0.0 to avoid compatibility issues later since third party implementors of SASL server may assume that SaslAuthenticationException is only logged on the server and not sent to clients, making it a security risk to update later.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rsivaram Rajini Sivaram
                Reporter:
                rsivaram Rajini Sivaram
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: