librdkafka
librdkafka copied to clipboard
confluentinc
KIP 368: SASL Reauthentication
I think the proposed solution is overly complex, and I don't think the special handling of the reauth requests is really needed.
Can't we get away with just sending the SaslHandshakeRequest upon reauth timer expiry and handling the results on response; if reauth succeeds nothing needs to be done (just restart the timer), if it fails we close the broker connection and perhaps raise a fatal error.
There's also the addition of sasl_set_credentials() in #4033 that is also needed for reauth to be meaningful.
I agree that that could be a potential solution, but reading the description of the KIP leads me to believe that this is a requirement to hold back other requests:
"the broker will communicate the session expiration time as part of the final SASL_AUTHENTICATE response. If this value is positive, then the client will automatically re-authenticate before anything else unrelated to re-authentication is sent beyond that expiration point."
also:
"Note also that the client cannot queue up additional send requests beyond the one that triggers re-authentication to occur until re-authentication succeeds and the triggering one is sent."
Not sure if I am misinterpreting
Thanks a lot @vctoriawu for starting this.
We discussed this quite a bit internally, and we decided to do it with the new broker state as Magnus suggested in the comment above. The approach does take care of the case you mention here..
The PR #4301 is a draft of that approach. I've taken the commits from this PR and built upon those. I've also added a few tests. (The credential refresh callback is yet to be implemented, though, it's only the reauthentication bit -- any credentials, if the user wants to reset them, have to be done on their own for SASL PLAIN and SCRAM.).
If you have any comment or question about this approach, please send them to that PR.
