THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- When using SASL/Kerberos authentication, the kafka server principal is of the form kafka@kafka/broker1.hostname.com@EXAMPLE.COM
- Kerberos requires that the hosts can be resolved by their FQDNs.
- During SASL handshake, the client will create creates a SASL token and then send sends it to kafka for auth.
But to create a SASL token the client first needs to be able to validate that the broker's kerberos is a valid one.
The kafka server principal is not matching doesn't match the hostname referenced by the client : (as the SaslAuthenticator will compare the alias' FQDN with the kafka broker hostname).
This fails the client broker kerberos validation and results in SASL authentication failure.
Public Interfaces
org.apache.kafka.clients
...