You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Yiming Zang (Jira)" <ji...@apache.org> on 2022/05/11 22:19:00 UTC
[jira] [Created] (KAFKA-13894) Extend Kafka kerberos auth support to beyond only hostname
Yiming Zang created KAFKA-13894:
-----------------------------------
Summary: Extend Kafka kerberos auth support to beyond only hostname
Key: KAFKA-13894
URL: https://issues.apache.org/jira/browse/KAFKA-13894
Project: Kafka
Issue Type: Improvement
Reporter: Yiming Zang
{*}Problem{*}:
Currently Kafka client only support using the Kafka broker hostname in the kerberos authentication process ([Source Code|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L231]).
However, not all companies support per-host based keytabs. It is a common practice that a keytabs which contains a shared identity name is used instead. To support this kind of Kerberos set ups, we need to make some changes to make Kafka support a customized service name apart from just using the hostname for authentication.
{*}Proposal{*}:
To address this issue, we propose to add an extra client side configuration for Kerberos authentication. If user provide that configuration, we will use whatever is provided to replace the hostname, otherwise we will default back to use hostnames. Here's an example:
{code:java}
String kerberosServiceNameFromConfig = (String)configs.get(SaslConfigs.SASL_KERBEROS_SERVICE_NAME);
String hostnameOrServiceName = (kerberosServiceNameFromConfig == null || kerberosServiceNameFromConfig.trim().isEmpty()) ? socket.getInetAddress().getHostName() : kerberosServiceNameFromConfig;
authenticatorCreator = () -> buildClientAuthenticator(configs,
saslCallbackHandlers.get(clientSaslMechanism),
id,
hostnameOrServiceName,
loginManager.serviceName(),
transportLayer,
subjects.get(clientSaslMechanism));{code}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)