KAFKA-5947: Handle authentication failure in admin client, txn producer #3928
Conversation
rajinisivaram
commented
Sep 20, 2017
rajinisivaram
commented
- Raise AuthenticationException for authentication failures in admin client
- Handle AuthenticationException as a fatal error for transactional producer
- Add comments to authentication exceptions
|
@vahidhashemian @hachikuji Can you review, please? Thanks. |
| * </p><p> | ||
| * SASL authentication failures typically indicate invalid credentials. | ||
| * <p> | ||
| */ | ||
| public class AuthenticationFailedException extends AuthenticationException { |
There was a problem hiding this comment.
I wonder if this should be called InvalidCredentialsException.
There was a problem hiding this comment.
At the moment, we have a single error code and exception for authentication failure with an error message giving more details. For SSL, this includes any handshake exception (e.g. server host name verification failure). At the moment, we are reporting only invalid credentials for SASL, but we may add others too. Since we convert SSLException and SaslException from the providers, it is simpler to maintain a more generic AuthenticationFailed exception rather than separate exceptions for different failures.
There was a problem hiding this comment.
The issue I have is that AuthenticationFailedException is too similar to AuthenticationException.
There was a problem hiding this comment.
What about SaslAuthenticationFailedException and SslAuthenticationFailedException?
There was a problem hiding this comment.
I will add without the Failed to be consistent with TopicAuthorizationException etc. So SaslAuthenticationException and SslAuthenticationException.
There was a problem hiding this comment.
I read it a bit too quickly on my phone and I hadn't seen the "Failed" part. What you did in the end is what I had in mind.
There was a problem hiding this comment.
I removed the SSL exception part from the doc. Will add SslAuthenticationException and the associated docs in #3918
|
@rajinisivaram Thanks for the PR. It looks good to me after a quick review. |
| @@ -974,6 +1011,9 @@ public void run() { | |||
|
|
|||
| // Update the current time and handle the latest responses. | |||
| now = time.milliseconds(); | |||
| if (handleAuthenticationException(now, callsToSend) && | |||
| hardShutdownTimeMs.get() != INVALID_SHUTDOWN_TIME) | |||
There was a problem hiding this comment.
What is the reason for hardShutdownTimeMs.get() != INVALID_SHUTDOWN_TIME?
There was a problem hiding this comment.
We don't want to exit this background thread until a close has been requested. If we are closing and there is an authentication exception, we want to terminate immediately. If we are not closing, the thread is kept alive so that a future request after credentials are added can succeed. This is tested in the integration test.
There was a problem hiding this comment.
Hmm, what's the impact of not exiting immediately? It seems like we would not have any responses anyway, so it should happen pretty quickly either way (and all pending requests have been cancelled). Maybe keep it simple?
| @@ -579,6 +580,11 @@ synchronized void retry(TxnRequestHandler request) { | |||
| enqueueRequest(request); | |||
| } | |||
|
|
|||
| synchronized void authenticationFailed(AuthenticationException e) { | |||
There was a problem hiding this comment.
Would it be worth making this more generic and simply call it fatalError or something?
There was a problem hiding this comment.
Hmm... The code was changed from generic to more specific in the other PR based on review comments. So I thought this should be specific too.
There was a problem hiding this comment.
OK, we can leave it like that then.
| * This exception indicates unexpected requests prior to SASL authentication. | ||
| * This could be due to misconfigured security, e.g. if PLAINTEXT protocol | ||
| * is used to connect to a SASL endpoint. | ||
| * |
| /** | ||
| * This exception indicates that the SASL mechanism requested by the client | ||
| * is not enabled on the broker. | ||
| * |
| result.all().get(); | ||
| fail("Expected an authentication error!"); | ||
| } catch (Exception e) { | ||
| assertTrue("Expected AuthenticationFailedException, got " + e.getClass(), e.getCause() instanceof AuthenticationFailedException); |
| Map<String, Object> props = new HashMap<>(saslClientConfigs); | ||
| props.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:" + server.port()); | ||
| props.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.StringSerializer"); | ||
| props.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.StringSerializer"); |
There was a problem hiding this comment.
We can pass the serializers in the constructor and it's a bit more concise.
There was a problem hiding this comment.
To add to the constructors, we need to remove the import restrictions on the package. It feels better to do them as properties instead since this test is currently in the security package. @vahidhashemian did that to avoid changing the restrictions.
There was a problem hiding this comment.
The serialization package is open to everyone (it's public API and at the lowest layer). So I don't think we should worry about that. It's not like we're avoiding a dependency here, we are just hiding it via a string based config (that still requires the default constructor to be present).
| props.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.StringSerializer"); | ||
| props.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.StringSerializer"); | ||
| props.put(ProducerConfig.TRANSACTIONAL_ID_CONFIG, "txclient-1"); | ||
| props.put(ProducerConfig.MAX_IN_FLIGHT_REQUESTS_PER_CONNECTION, "5"); |
There was a problem hiding this comment.
copied and pasted earlier :-), removed now.
| props.put(ProducerConfig.TRANSACTIONAL_ID_CONFIG, "txclient-1"); | ||
| props.put(ProducerConfig.MAX_IN_FLIGHT_REQUESTS_PER_CONNECTION, "5"); | ||
| props.put(ProducerConfig.ENABLE_IDEMPOTENCE_CONFIG, "true"); | ||
| props.put(ProducerConfig.BATCH_SIZE_CONFIG, "16384"); |
There was a problem hiding this comment.
This is also the default, I think.
| producerConfig.setProperty(ProducerConfig.TRANSACTIONAL_ID_CONFIG, "txclient-1") | ||
| producerConfig.put(ProducerConfig.MAX_IN_FLIGHT_REQUESTS_PER_CONNECTION, "5") | ||
| producerConfig.put(ProducerConfig.ENABLE_IDEMPOTENCE_CONFIG, "true") | ||
| producerConfig.put(ProducerConfig.BATCH_SIZE_CONFIG, "16384") |
There was a problem hiding this comment.
This and max in flight are defaults right?
There was a problem hiding this comment.
yes, removed.
| private boolean handleAuthenticationException(long now, Map<Node, List<Call>> callsToSend) { | ||
| AuthenticationException authenticationException = null; | ||
| try { | ||
| metadata.maybeThrowAuthenticationException(); |
There was a problem hiding this comment.
Should we add a method that is like this one, but returns the exception instead? It seems a bit convoluted to throw a stored exception just to catch it. Not sure if that helps other cases, but at least here, it seems to make the code cleaner.
There was a problem hiding this comment.
I changed the existing method to return the exception rather than throw it.
| @@ -579,6 +580,11 @@ synchronized void retry(TxnRequestHandler request) { | |||
| enqueueRequest(request); | |||
| } | |||
|
|
|||
| synchronized void authenticationFailed(AuthenticationException e) { | |||
There was a problem hiding this comment.
OK, we can leave it like that then.
| Map<String, Object> props = new HashMap<>(saslClientConfigs); | ||
| props.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:" + server.port()); | ||
| props.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.StringSerializer"); | ||
| props.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.StringSerializer"); |
There was a problem hiding this comment.
The serialization package is open to everyone (it's public API and at the lowest layer). So I don't think we should worry about that. It's not like we're avoiding a dependency here, we are just hiding it via a string based config (that still requires the default constructor to be present).
| @@ -68,12 +74,27 @@ class SaslClientsWithInvalidCredentialsTest extends IntegrationTestHarness with | |||
| @Test | |||
| def testProducerWithAuthenticationFailure() { | |||
| verifyAuthenticationException(() => sendOneRecord(10000)) | |||
| verifyAuthenticationException(() => producers.head.partitionsFor(topic)) | |||
There was a problem hiding this comment.
Nit: we can change the parameter to be by name (=> Unit instead of () => Unit) and then you don't need the noisy () => in every invocation.
| } | ||
| } catch (AuthenticationException e) { | ||
| // This is already logged as error, but propagated here to perform any clean ups. | ||
| log.trace("Authentication exception while processing transactional request"); |
There was a problem hiding this comment.
Do we want to include the exception message or stacktrace?
| } | ||
| for (List<Call> calls : callsToSend.values()) { | ||
| for (Call call : calls) { | ||
| call.handleFailure(authenticationException); |
There was a problem hiding this comment.
Why are we calling handleFailure directly instead of fail? If we used fail in both places, we could extract a method and call it twice in succession, once for newCalls and once for callsToSend.
| @@ -974,6 +1011,9 @@ public void run() { | |||
|
|
|||
| // Update the current time and handle the latest responses. | |||
| now = time.milliseconds(); | |||
| if (handleAuthenticationException(now, callsToSend) && | |||
| hardShutdownTimeMs.get() != INVALID_SHUTDOWN_TIME) | |||
There was a problem hiding this comment.
Hmm, what's the impact of not exiting immediately? It seems like we would not have any responses anyway, so it should happen pretty quickly either way (and all pending requests have been cancelled). Maybe keep it simple?
|
@vahidhashemian @ijuma Thanks for the reviews. Have addressed the comments so far. |
| @@ -200,32 +201,38 @@ public void run() { | |||
| */ | |||
| void run(long now) { | |||
| if (transactionManager != null) { | |||
| if (transactionManager.shouldResetProducerStateAfterResolvingSequences()) | |||
There was a problem hiding this comment.
@hachikuji, if you have a chance, have a look and see if this is OK.
