Stephane Maarek created KAFKA-4781:
--------------------------------------
Summary: Kafka should return its advertised host name before any
protocol verification is done
Key: KAFKA-4781
URL: https://issues.apache.org/jira/browse/KAFKA-4781
Project: Kafka
Issue Type: Improvement
Affects Versions: 0.10.1.1
Reporter: Stephane Maarek
We have a Kafka cluster and each broker advertises its hostname
e.g.
kafka1.example.com
kafka2.example.com
kafka3.example.com
We have an SSL certificate for *.example.com and we have SASL principals for
kafka/kafka[1,2,3].example.com
All works well using SASL_SSL if we set the bootstrap servers as
kafka1.example.com:9095,kafka2.example.com:9095,kafka3.example.com:9095
As soon as we set the bootstrap server as localhost:9095, it doesn't work.
Kerberos can't authenticate.
Also, we like to have one CNAME that points to all the brokers in a round robin
fashion, say kafka.example.com. In that case, if we use kafka.example.com:9095
as our bootstrap, we get a Server not found in Kerberos database error as it
tries to look up kafka.example.com
I think Kafka communicates its advertised hostname after the handshake (SASL /
SSL) is done, which is a problem in our case.
Would it be beneficial that on connection opening (on any port), Kafka first
sends its advertised hostname. Then the SASL / SSL protocols use that
advertised hostname as a starting point to do the authentication, etc?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
