You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Yiming Zang (Jira)" <ji...@apache.org> on 2022/05/11 22:26:00 UTC

[jira] [Commented] (KAFKA-13894) Extend Kafka kerberos auth support to beyond only hostname

    [ https://issues.apache.org/jira/browse/KAFKA-13894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17535126#comment-17535126 ] 

Yiming Zang commented on KAFKA-13894:
-------------------------------------

We have internal changes that already fixed this issue, would like to merge back to open source community! Could anyway take a look at this proposal and see if that make sense?

> Extend Kafka kerberos auth support to beyond only hostname
> ----------------------------------------------------------
>
>                 Key: KAFKA-13894
>                 URL: https://issues.apache.org/jira/browse/KAFKA-13894
>             Project: Kafka
>          Issue Type: Improvement
>          Components: clients
>            Reporter: Yiming Zang
>            Priority: Critical
>
> {*}Problem{*}:
> Currently Kafka client only support using the Kafka broker hostname in the kerberos authentication process ([Source Code|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L231]).
> However, not all companies support per-host based keytabs. It is a common practice that a keytabs which contains a shared identity name is used instead. To support this kind of Kerberos set ups, we need to make some changes to make Kafka support a customized service name apart from just using the hostname for authentication.
> {*}Proposal{*}:
> To address this issue, we propose to add an extra client side configuration for Kerberos authentication. If user provide that configuration, we will use whatever is provided to replace the hostname, otherwise we will default back to use hostnames. Here's an example:
>  
> {code:java}
> String kerberosServiceNameFromConfig = (String)configs.get(SaslConfigs.SASL_KERBEROS_SERVICE_NAME);
> String hostnameOrServiceName = (kerberosServiceNameFromConfig == null || kerberosServiceNameFromConfig.trim().isEmpty()) ? socket.getInetAddress().getHostName() : kerberosServiceNameFromConfig;
> authenticatorCreator = () -> buildClientAuthenticator(configs,
>   saslCallbackHandlers.get(clientSaslMechanism),
>   id,
>   hostnameOrServiceName,
>   loginManager.serviceName(),
>   transportLayer,
>   subjects.get(clientSaslMechanism));{code}
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.7#820007)