WHAT

Change connections.max.reauth.ms to 14m59s now that client tokens last for 15 minutes (we previously set it to 4m59s because the tokens lasted for 5 minutes. This might be as a result of a difference between MAS-SSO and RHSSO).

WHY

The old value for this was based on the old token lifetime. Now that the tokens have a longer lifetime, we should consider increasing this reauth period to match. This will mean that clients won't have to reauth as often (or clients that don't support reauth won't have to reconnect as frequently, if they haven't explicitly disabled the reauth requirement.

For OAUTHBEARER clients, it isn't expected to impact how frequently clients have to contact SSO, since they'd just reauth with the still-valid token, and would refresh before it expires themselves. For PLAIN clients, it should reduce the frequency that the Kafka brokers have to contact SSO to get a new token on behalf of the client. See this discussion for more information.

HOW

1. Change the value that is set for managedkafka.kafka.maximum-session-lifetime-default through the kas-fleetshard project, here.
1. Update the threat model document to specify the new value.

DONE

• Change is rolled out to all instances in production
• Threat model is up-to-date