You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Manikumar (Jira)" <ji...@apache.org> on 2019/08/21 17:08:00 UTC
[jira] [Comment Edited] (KAFKA-8562) SASL_SSL still performs
reverse DNS lookup despite KAFKA-5051
[ https://issues.apache.org/jira/browse/KAFKA-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16912437#comment-16912437 ]
Manikumar edited comment on KAFKA-8562 at 8/21/19 5:07 PM:
-----------------------------------------------------------
In case of SASL/Kerberos, client should know fully-qualified host name of the server and must match with hostname in principal. So we may need to do DNS lookup to find-out hostname of server IP.
hostname is used to buildĀ [SaslClientAuthenticator|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L203] and [SslTransportLayer|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/com] . We can avoid the lookup while building underlyting SslTransportLayer instance.
was (Author: omkreddy):
Incase of SASL, hostname is used in [SaslClientAuthenticator|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L203] and [SslTransportLayer|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/com] instances.
I think incase of SaslClient, broker hostname must match with the hostname in `principal/hostname@realm`. So we need to still do DNS lookup to resolve IP to DNS. We can avoid the lookup while building underlyting SslTransportLayer instance.
> SASL_SSL still performs reverse DNS lookup despite KAFKA-5051
> -------------------------------------------------------------
>
> Key: KAFKA-8562
> URL: https://issues.apache.org/jira/browse/KAFKA-8562
> Project: Kafka
> Issue Type: Bug
> Reporter: Badai Aqrandista
> Priority: Minor
>
> When using SASL_SSL, the Kafka client performs a reverse DNS lookup to resolve IP to DNS. So, this circumvent the security fix made in KAFKA-5051.
> This is the line of code from AK 2.2 where it performs the lookup:
> https://github.com/apache/kafka/blob/2.2.0/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L205
> Following log messages show that consumer initially tried to connect with IP address 10.0.2.15. Then suddenly it created SaslClient with a hostname:
> {code:java}
> [2019-06-18 06:23:36,486] INFO Kafka commitId: 00d486623990ed9d (org.apache.kafka.common.utils.AppInfoParser)
> [2019-06-18 06:23:36,487] DEBUG [Consumer clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] Kafka consumer initialized (org.apache.kafka.clients.consumer.KafkaConsumer)
> [2019-06-18 06:23:36,505] DEBUG [Consumer clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] Initiating connection to node 10.0.2.15:19094 (id: -1 rack: null) using address /10.0.2.15 (org.apache.kafka.clients.NetworkClient)
> [2019-06-18 06:23:36,512] DEBUG Set SASL client state to SEND_APIVERSIONS_REQUEST (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
> [2019-06-18 06:23:36,515] DEBUG Creating SaslClient: client=null;service=kafka;serviceHostname=quickstart.confluent.io;mechs=[PLAIN] (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
> {code}
> Thanks
> Badai
--
This message was sent by Atlassian Jira
(v8.3.2#803003)