Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Reauthenticate SASL connections based on session lifetime #122

Merged
merged 4 commits into from
Aug 14, 2024
Merged

Proposal: Reauthenticate SASL connections based on session lifetime #122

merged 4 commits into from
Aug 14, 2024

Commits on Aug 13, 2024

  1. Add missing messages to debugging 

    `get_api_vsns` and `{ssl, Sock, Bin}` were missing from print_msg/3
cases and were reported as "unknown messages".
    @urmastalimaa
    urmastalimaa committed Aug 13, 2024
    Configuration menu
    Copy the full SHA
    89ab927 View commit details
    Browse the repository at this point in the history

  2. Allow SASL callback modules to return {ok, ServerResponse} 

    This expansion of the callback return values allows `kpro_connection` to
interrogate the server response message, in preparation for
re-authenticating SASL connections before session lifetime expires.

Authentication was moved to a separate function to allow repeating
authentication flow, which also required storing connection
configuration in process state.
    @urmastalimaa
    urmastalimaa committed Aug 13, 2024
    Configuration menu
    Copy the full SHA
    09af52d View commit details
    Browse the repository at this point in the history

  3. Reauthenticate SASL connections based on session lifetime 

    The broker response to a SASL authentication request can contain a
maximum session lifetime (see the [KIP][kip]).
Session lifetime is returned by the broker in [Version 1
SaslAuthenticate Response][sasl_authenticate_protocol].

When a SASL authentication callback returns `{ok, ServerResponse}` and
the ServerResponse contains a larger than 0 session lifetime,
kpro_connection automatically sets a timer to re-authenticate in half
the session lifetime.

As kpro_sasl mechanisms are synchronous, in-flight requests must first
be drained to ensure that kpro_sasl receives a response to its own SASL
request.

The draining algorithm behaves as follows:
* `sasl_authenticate` message handler adds the message onto the backlog
  and immediately flush the backlog if there are no in-flight requests.
* `{From, {send, Request}}` handler adds the request onto the backlog if
  the backlog has any items to allow in-flight requests to drain.
* Inbound message handler flushes the backlog if in-flight requests are
  empty.

[kip]: https://cwiki.apache.org/confluence/display/KAFKA/KIP-368%3A+Allow+SASL+Connections+to+Periodically+Re-Authenticate
[sasl_authenticate_protocol]: https://kafka.apache.org/protocol#The_Messages_SaslAuthenticate
    @urmastalimaa
    urmastalimaa committed Aug 13, 2024
    Configuration menu
    Copy the full SHA
    0cfeaf4 View commit details
    Browse the repository at this point in the history

  4. docs: add changelog for 4.1.7

    @urmastalimaa
    urmastalimaa committed Aug 13, 2024
    Configuration menu
    Copy the full SHA
    49ccc86 View commit details
    Browse the repository at this point in the history