[
https://issues.apache.org/jira/browse/KAFKA-13894?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yiming Zang updated KAFKA-13894:
--------------------------------
Component/s: clients
> Extend Kafka kerberos auth support to beyond only hostname
> ----------------------------------------------------------
>
> Key: KAFKA-13894
> URL: https://issues.apache.org/jira/browse/KAFKA-13894
> Project: Kafka
> Issue Type: Improvement
> Components: clients
> Reporter: Yiming Zang
> Priority: Major
>
> {*}Problem{*}:
> Currently Kafka client only support using the Kafka broker hostname in the
> kerberos authentication process ([Source
> Code|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L231]).
> However, not all companies support per-host based keytabs. It is a common
> practice that a keytabs which contains a shared identity name is used
> instead. To support this kind of Kerberos set ups, we need to make some
> changes to make Kafka support a customized service name apart from just using
> the hostname for authentication.
> {*}Proposal{*}:
> To address this issue, we propose to add an extra client side configuration
> for Kerberos authentication. If user provide that configuration, we will use
> whatever is provided to replace the hostname, otherwise we will default back
> to use hostnames. Here's an example:
>
> {code:java}
> String kerberosServiceNameFromConfig =
> (String)configs.get(SaslConfigs.SASL_KERBEROS_SERVICE_NAME);
> String hostnameOrServiceName = (kerberosServiceNameFromConfig == null ||
> kerberosServiceNameFromConfig.trim().isEmpty()) ?
> socket.getInetAddress().getHostName() : kerberosServiceNameFromConfig;
> authenticatorCreator = () -> buildClientAuthenticator(configs,
> saslCallbackHandlers.get(clientSaslMechanism),
> id,
> hostnameOrServiceName,
> loginManager.serviceName(),
> transportLayer,
> subjects.get(clientSaslMechanism));{code}
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
