-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kafka: Fixed segfault issue with auditing and mTLS #23245
kafka: Fixed segfault issue with auditing and mTLS #23245
Conversation
ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/54207#0191d8b9-e1da-425c-a444-e997fafc71e2 ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/54207#0191d8bb-aff2-4ffc-b059-f9c948201c2c ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/54257#0191dcf5-920c-4127-815b-ab9389d9d788 |
The audit log system requires that at the Redpanda cluster is configured to use SASL/SCRAM authentication. This is due to permissions applied to the audit log topic (only permitting the audit log system to produce to the audit log topic). When the internal k/client attempts to connect the the node and it reports "illegal_sasl_state", the audit system flags that the audit system is misconfigured. This prevents audit messages from being enqueued into the audit system and in turn ensures that the unaudited action is not performed (that's important). Originally, if the next error message seen is not "illegal_sasl_state" then the flag is unset. However, after reconnect the client may see "broker_not_available" and then "illegal_sasl_state". This commit changes the behavior to wait for neither "illegal_sasl_state" nor "broker_not_available" to be seen before unsetting the flag. Signed-off-by: Michael Boquard <michael@redpanda.com>
The connection_context::start method enqueues the connect_context instance into the list of connections. If connection_context::stop is called before the item is inserted, then a segfault will happen. Fixes: CORE-7245 Signed-off-by: Michael Boquard <michael@redpanda.com>
1ea5d3e
to
a5f56c3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the segfault fix lgtm. i don't understand the other stuff
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fix looks straight forward. Really like the failure-case tests you wrote.
/backport v24.2.x |
/backport v24.1.x |
/backport v23.3.x |
The connection_context::start method enqueues the connect_context instance into the list of connections. If connection_context::stop is called before the item is inserted, then a segfault will happen.
Fixes: CORE-7245
Backports Required
Release Notes
Bug Fixes