-
Notifications
You must be signed in to change notification settings - Fork 72
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Clean up proxies with expiring credentials
Due to the behaviour of the Kafka clients, we want to avoid them going into a retry loop in case of an expired OAuth token. The current proxy janitor _would_ clean them up eventually but this is behaviour to be avoided. Thus the proxy janitor is extended to clean up proxies that have auth tokens expiring within a "tolerance" amount of time. To extract the expiry time (`exp` claim) from an OAuth token, the `pyjwt` library is used. With this action we do not verify the token signature (which would not be possible without knowing the signing public key). Normally this would present the issue of tokens that have been tampered with and not re-signed. However, when using a token for the first time, the Karapace REST proxy instantiates a Kafka admin client, which results in immediate verification of the token by Kafka. So even if the expiration time has been maliciously changed, the connection will be refused by Kafka, resulting in an Unauthorized response from Karapace to its client.
- Loading branch information
Mátyás Kuti
committed
Oct 13, 2023
1 parent
b19cf19
commit 2823e81
Showing
8 changed files
with
192 additions
and
43 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -30,6 +30,7 @@ | |
"kafka-python", | ||
"networkx", | ||
"protobuf", | ||
"pyjwt", | ||
"python-dateutil", | ||
], | ||
extras_require={ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.