kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Skrzypek (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-6195) DNS alias support for secured connections
Date Tue, 21 Nov 2017 11:39:00 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-6195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16260607#comment-16260607
] 

Jonathan Skrzypek commented on KAFKA-6195:
------------------------------------------

[~rsivaram] I think it's possible to create a keytab with multiple accounts, but in any case
the KafkaServer section in the broker jaas file only takes one principal field.
So there's only one principal presented to the client, regardless of how many there are in
the keytab.

I'm not too familiar with how KIPs are managed.
Should I create one here https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals
using the template and reference this JIRA ? 

Thanks

> DNS alias support for secured connections
> -----------------------------------------
>
>                 Key: KAFKA-6195
>                 URL: https://issues.apache.org/jira/browse/KAFKA-6195
>             Project: Kafka
>          Issue Type: Improvement
>          Components: clients
>            Reporter: Jonathan Skrzypek
>
> It seems clients can't use a dns alias in front of a secured Kafka cluster.
> So applications can only specify a list of hosts or IPs in bootstrap.servers instead
of an alias encompassing all cluster nodes.
> Using an alias in bootstrap.servers results in the following error : 
> javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Fail to create credential. (63) - No service creds)]) occurred
when evaluating SASL token received from the Kafka Broker. Kafka Client will go to AUTH_FAILED
state. [Caused by javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service
creds)]]
> When using SASL/Kerberos authentication, the kafka server principal is of the form kafka@kafka/broker1.hostname.com@EXAMPLE.COM
> Kerberos requires that the hosts can be resolved by their FQDNs.
> During SASL handshake, the client will create a SASL token and then send it to kafka
for auth.
> But to create a SASL token the client first needs to be able to validate that the broker's
kerberos is a valid one.
> There are 3 potential options :
> 1. Creating a single kerberos principal not linked to a host but to an alias and reference
it in the broker jaas file.
> But I think the kerberos infrastructure would refuse to validate it, so the SASL handshake
would still fail
> 2. Modify the client bootstrap mechanism to detect whether bootstrap.servers contains
a dns alias. If it does, resolve and expand the alias to retrieve all hostnames behind it
and add them to the list of nodes.
> This could be done by modifying parseAndValidateAddresses() in ClientUtils
> 3. Add a cluster.alias parameter that would be handled by the logic above. Having another
parameter to avoid confusion on how bootstrap.servers works behind the scene.
> Thoughts ?
> I would be happy to contribute the change for any of the options.
> I believe the ability to use a dns alias instead of static lists of brokers would bring
good deployment flexibility.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message