Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-6532

Delegation token internals should not impact public interfaces



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.1.0
    • core
    • None


      We need to make sure that code related to the internal delegation tokens implementation doesn't have any impact on public interfaces, including customizable callback handlers from KIP-86.

      1. KafkaPrincipal has a public tokenAuthenticated() method. Principal builders are configurable and we now expect custom principal builders to set this value. Since we allow the same endpoint to be used for basic SCRAM and delegation tokens, the configured principal builder needs a way of detecting token authentication. Default principal builder does this using internal SCRAM implementation code. It will be better if configurable principal builders didn't have to set this flag at all.
      2. It will be better to replace o.a.k.c.security.scram.DelegationTokenAuthenticationCallback with a more generic ScramExtensionsCallback. This will allow us to add more extensions in future and it will also enable custom Scram extensions.
      3. ScramCredentialCallback was extended to add tokenOwner and mechanism. Mechanism is determined during SASL handshake and shouldn't be configurable in a callback handler. ScramCredentialCallback is being made a public interface in KIP-86 with configurable callback handlers. Since delegation token implementation is internal and not extensible, tokenOwner should be in a delegation-token-specific callback.


        Issue Links



              rsivaram Rajini Sivaram
              rsivaram Rajini Sivaram
              0 Vote for this issue
              2 Start watching this issue