[KAFKA-7915] SASL authentication failures may return sensitive data to client - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.2.0
Component/s: security
Labels:
None

Description

There was a regression from the commit https://github.com/apache/kafka/commit/e8a3bc74254a8e4e4aaca41395177fa4a98b480c#diff-e4c812749f57c982e2570492657ea787 which added the error message from SaslException thrown by the server during authentication into the error response returned to clients. Since this exception may contain sensitive data (e.g. indicating that a user exists but password match failed), we should not return the error to clients. We have a separate exception (`AuthenticationException`) for errors that are safe to propagate to clients.

The regression was not in any released version, the related commit will only be in 2.2.0, so we just need to fix this before 2.2.0.

Attachments

Issue Links

links to

GitHub Pull Request #6252

Activity

People

Assignee:: Rajini Sivaram

Reporter:: Rajini Sivaram

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 11/Feb/19 15:32

Updated:: 11/Feb/19 22:36

Resolved:: 11/Feb/19 22:27