Stephane Maarek created KAFKA-4781: -------------------------------------- Summary: Kafka should return its advertised host name before any protocol verification is done Key: KAFKA-4781 URL: https://issues.apache.org/jira/browse/KAFKA-4781 Project: Kafka Issue Type: Improvement Affects Versions: 0.10.1.1 Reporter: Stephane Maarek
We have a Kafka cluster and each broker advertises its hostname e.g. kafka1.example.com kafka2.example.com kafka3.example.com We have an SSL certificate for *.example.com and we have SASL principals for kafka/kafka[1,2,3].example.com All works well using SASL_SSL if we set the bootstrap servers as kafka1.example.com:9095,kafka2.example.com:9095,kafka3.example.com:9095 As soon as we set the bootstrap server as localhost:9095, it doesn't work. Kerberos can't authenticate. Also, we like to have one CNAME that points to all the brokers in a round robin fashion, say kafka.example.com. In that case, if we use kafka.example.com:9095 as our bootstrap, we get a Server not found in Kerberos database error as it tries to look up kafka.example.com I think Kafka communicates its advertised hostname after the handshake (SASL / SSL) is done, which is a problem in our case. Would it be beneficial that on connection opening (on any port), Kafka first sends its advertised hostname. Then the SASL / SSL protocols use that advertised hostname as a starting point to do the authentication, etc? -- This message was sent by Atlassian JIRA (v6.3.15#6346)