Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Reauthenticate SASL connections based on session lifetime #122

Merged
merged 4 commits into from
Aug 14, 2024
Merged

Proposal: Reauthenticate SASL connections based on session lifetime #122

merged 4 commits into from
Aug 14, 2024

Conversation

urmastalimaa
Copy link
Contributor

@urmastalimaa urmastalimaa commented Aug 12, 2024
edited
Loading

Successor of #119

The broker response to a SASL authentication request can contain a
maximum session lifetime (see the KIP).
Session lifetime is returned by the broker in Version 1
SaslAuthenticate Response.

When a SASL authentication callback returns {ok, ServerResponse} and
the ServerResponse contains a larger than 0 session lifetime,
kpro_connection automatically sets a timer to re-authenticate in half
the session lifetime.

As kpro_sasl mechanisms are synchronous, in-flight requests must first
be drained to ensure that kpro_sasl receives a response to its own SASL
request.

The draining mechanism is tied to the main loop, flushing the post-drain
queue when requests are empty. When requests are not empty, previous
behaviour is retained with the exception of {From, {send, Req}}
handler, which adds the request onto the queue when in drain state.

@urmastalimaa urmastalimaa changed the title Reauthenticate SASL connections based on session lifetime Proposal: Reauthenticate SASL connections based on session lifetime Aug 12, 2024
@urmastalimaa urmastalimaa mentioned this pull request Aug 12, 2024
Closed
@urmastalimaa urmastalimaa marked this pull request as ready for review August 12, 2024 13:43
@urmastalimaa urmastalimaa mentioned this pull request Aug 12, 2024
Merged
zmstone
zmstone reviewed Aug 13, 2024
View reviewed changes
src/kpro_connection.erl Outdated Show resolved Hide resolved
@urmastalimaa urmastalimaa force-pushed the reauthenticate_sasl_connections branch 3 times, most recently from f163a82 to 9f1e8cf Compare August 13, 2024 10:57
@zmstone
Copy link
Contributor

zmstone commented Aug 13, 2024
edited
Loading

looks good, please help to add a change log (bump version to 4.2.0 4.1.7)

@zmstone
Copy link
Contributor

zmstone commented Aug 13, 2024

just merged a ci fix to master, please rebase to make ci run.
ref: #123

@urmastalimaa
Add missing messages to debugging
89ab927 
`get_api_vsns` and `{ssl, Sock, Bin}` were missing from print_msg/3
cases and were reported as "unknown messages".
@urmastalimaa
Allow SASL callback modules to return {ok, ServerResponse}
09af52d 
This expansion of the callback return values allows `kpro_connection` to
interrogate the server response message, in preparation for
re-authenticating SASL connections before session lifetime expires.

Authentication was moved to a separate function to allow repeating
authentication flow, which also required storing connection
configuration in process state.
@urmastalimaa
Reauthenticate SASL connections based on session lifetime
0cfeaf4 
The broker response to a SASL authentication request can contain a
maximum session lifetime (see the [KIP][kip]).
Session lifetime is returned by the broker in [Version 1
SaslAuthenticate Response][sasl_authenticate_protocol].

When a SASL authentication callback returns `{ok, ServerResponse}` and
the ServerResponse contains a larger than 0 session lifetime,
kpro_connection automatically sets a timer to re-authenticate in half
the session lifetime.

As kpro_sasl mechanisms are synchronous, in-flight requests must first
be drained to ensure that kpro_sasl receives a response to its own SASL
request.

The draining algorithm behaves as follows:
* `sasl_authenticate` message handler adds the message onto the backlog
  and immediately flush the backlog if there are no in-flight requests.
* `{From, {send, Request}}` handler adds the request onto the backlog if
  the backlog has any items to allow in-flight requests to drain.
* Inbound message handler flushes the backlog if in-flight requests are
  empty.

[kip]: https://cwiki.apache.org/confluence/display/KAFKA/KIP-368%3A+Allow+SASL+Connections+to+Periodically+Re-Authenticate
[sasl_authenticate_protocol]: https://kafka.apache.org/protocol#The_Messages_SaslAuthenticate
@urmastalimaa
docs: add changelog for 4.1.7
49ccc86
@urmastalimaa urmastalimaa force-pushed the reauthenticate_sasl_connections branch from 9f1e8cf to 49ccc86 Compare August 13, 2024 14:15
@urmastalimaa
Copy link
Contributor Author

Thanks. Done with diff

@zmstone zmstone merged commit 95d0944 into kafka4beam:master Aug 14, 2024
6 checks passed
@urmastalimaa urmastalimaa deleted the reauthenticate_sasl_connections branch August 14, 2024 08:44
@zmstone
Copy link
Contributor

zmstone commented Aug 14, 2024
edited
Loading

thank you @urmastalimaa
tagged 4.1.7, also published to hex.pm

@urmastalimaa
Copy link
Contributor Author

Perfect, thank you for the fast and excellent feedback.

@zmstone zmstone mentioned this pull request Aug 31, 2024
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmstone zmstone zmstone left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@urmastalimaa @zmstone