Confused about SASL

[Stephane Maarek <st...@simplemachines.com.au>]

Hi,

My company has an Active Directory but I’m not exactly sure what to ask for
from them.
My current setup and goal is a fully automated kafka cluster, with during
each kafka broker boot a DNS name will be created (
kafka-broker-10.example.com for example).

I’m looking into enabling security with SASL / GSSAPI but I have the
following questions:
1) Can my Kafka brokers share the same keytab and principal? They live on
different hosts though. Basically if that’s not possible, then it will be
impossible for me to automatically spin up kafka brokers…

2) In https://kafka.apache.org/documentation/#security_sasl_kerberos, is
the {hostname} corresponding to the advertised hostname from Kafka? If so,
why can they be all the same in here:
https://github.com/confluentinc/cp-docker-images/blob/master/examples/kafka-cluster-sasl/secrets/broker1_jaas.conf
?
Otherwise I missed the point of "*Make sure all hosts can be reachable
using hostnames* - it is a Kerberos requirement that all your hosts can be
resolved with their FQDNs”.

3) Basically by securely storing one set of credentials for kafka and one
for zookeeper, I can bring up and down nodes as I please. Do you see any
issues with that?

Thanks for your help

Regards,
Stephane