You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Status

Current state : discussion

Discussion thread : https://lists.apache.org/thread.html/c29f6744b3e87b8e691de8cf5feb31f33dd8c2a5e07b77f957255a4e@%3Cdev.kafka.apache.org%3E

JIRA :  Unable to render Jira issues macro, execution error.

Motivation

When specifying a dns alias in bootstrap.server, the Java client API doesn't resolve all the CNAMES behind it.

This breaks kerberos based SASL authentication and therefore clients are unable to connect to a secured cluster.

Using an alias in bootstrap.servers along with SASL auth results in the following error :

javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]) occurred when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTH_FAILED state. [Caused by javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]]

This is due to the following :

  • When using SASL/Kerberos authentication, the kafka server principal is of the form kafka@kafka/broker1.hostname.com@EXAMPLE.COM
  • Kerberos requires that the hosts can be resolved by their FQDNs.
  • During SASL handshake, the client will create a SASL token and then send it to kafka for auth.
    But to create a SASL token the client first needs to be able to validate that the broker's kerberos is a valid one.

The kafka server principal is not matching the hostname referenced by the client : as the SaslAuthenticator will compare the alias' FQDN with the kafka broker hostname.

Public Interfaces

org.apache.kafka.clients

Proposed Changes

Change parseAndValidateAddresses() in ClientUtils to allow full dns resolution which will result in adding all underlying hosts as kafka nodes. This will allow using an alias in bootstrap.servers

Forcing this behaviour down on existing users isn't desirable since it could break SSL authentication. This should therefore be an optional feature.

Proposed parameter :

bootstrap.reverse.dns.lookup = true / false

Code snippets in the JIRA.

Rejected alternatives

Other option considered :
Changing default behaviour.

  • No labels