hlteoh37
commented
1 year ago Have we tested that this works to resolve the specific failure mode specified here? https://github.com/aws/aws-msk-iam-auth/issues/36#issuecomment-1070563135
If so, we might want to mention it in the overview
dannycranmer
Issue #, if available:
https://github.com/aws/aws-msk-iam-auth/issues/36
Description of changes:
This change fixes the classloader issue experienced in this issue. I have introduced a new
SaslClientFactorycalledClassLoaderAwareIAMSaslClientFactoryregistered under theAWS_MSK_IAMmechanism. The existingIAMSaslClientFactoryhas been moved to a new mechanism nameAWS_MSK_IAM.<classloader>. EachIAMLoginModulewill register both mechanisms, we will end up with oneClassLoaderAwareIAMSaslClientFactoryper JVM andncopies ofIAMSaslClientFactory,nequals the number of ClassLoaders used.ClassLoaderAwareIAMSaslClientFactorypicks the correctIAMSaslClientFactorybased on the classloader of theCallbackHandlerFor single classloader environments, there will be 1
ClassLoaderAwareIAMSaslClientFactoryand 1IAMSaslClientFactory. We will incur a negligible performance hit delegating from one to the other.Testing
I have tested against MSK using a Flink cluster running on EC2 box. I verified this issue resolves issue #36. I am waiting for additional test feedback from other stakeholders, and am hoping that this can be verified against MSK e2e tests.
Concerns:
Since we register
ncopies ofIAMSaslClientFactorythere is an opportunity for this to infinitely grow and leak, for example if a Flink job is continuously failing over. However, in this situation the job is already broken and this tradeoff might be acceptable against the current state, where multi classloader environments are not supported.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.