Current state: Approved
Discussion thread: here
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Kafka network threads are mainly responsible for establishing connections with clients and other brokers, performing authentication with them, receiving Kafka protocol requests and responses, and for sending out Kafka protocol requests and responses. Performing authentication is one of the most expensive operation performed in the network thread, so much so that it could end up saturating them, preventing from getting any useful work from being done. Given this, a misconfigured application trying to connect with incorrect (or stale) credentials could cause a denial of service like situation. To help mitigate this issue, this KIP proposes to introduce a way of delaying response to a failed authentication.
This KIP proposes to add a new broker configuration
connection.failed.authentication.delay.ms which specifies the amount of time (in milliseconds) to delay a failed authentication response and subsequent socket disconnection by. In general, this must be configured to be lower than
Explanation: This configuration specifies the amount of time in milliseconds by which a response to a failed authentication will be delayed by.
Default Value: 100
The proposal is to delay sending out the "authentication failed" response along with any associated clean up work like socket disconnection, etc. The implementation will be similar to
Compatibility, Deprecation, and Migration Plan
The change in this KIP is backward compatible as it does not change the protocol in any way. The only difference is that clients will see a 100ms delay on failed authentications.