Yiming Zang created KAFKA-13894: ----------------------------------- Summary: Extend Kafka kerberos auth support to beyond only hostname Key: KAFKA-13894 URL: https://issues.apache.org/jira/browse/KAFKA-13894 Project: Kafka Issue Type: Improvement Reporter: Yiming Zang
{*}Problem{*}: Currently Kafka client only support using the Kafka broker hostname in the kerberos authentication process ([Source Code|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L231]). However, not all companies support per-host based keytabs. It is a common practice that a keytabs which contains a shared identity name is used instead. To support this kind of Kerberos set ups, we need to make some changes to make Kafka support a customized service name apart from just using the hostname for authentication. {*}Proposal{*}: To address this issue, we propose to add an extra client side configuration for Kerberos authentication. If user provide that configuration, we will use whatever is provided to replace the hostname, otherwise we will default back to use hostnames. Here's an example: {code:java} String kerberosServiceNameFromConfig = (String)configs.get(SaslConfigs.SASL_KERBEROS_SERVICE_NAME); String hostnameOrServiceName = (kerberosServiceNameFromConfig == null || kerberosServiceNameFromConfig.trim().isEmpty()) ? socket.getInetAddress().getHostName() : kerberosServiceNameFromConfig; authenticatorCreator = () -> buildClientAuthenticator(configs, saslCallbackHandlers.get(clientSaslMechanism), id, hostnameOrServiceName, loginManager.serviceName(), transportLayer, subjects.get(clientSaslMechanism));{code} -- This message was sent by Atlassian Jira (v8.20.7#820007)