[jira] [Created] (KAFKA-13894) Extend Kafka kerberos auth support to beyond only hostname

[Yiming Zang (Jira)]

Yiming Zang created KAFKA-13894:
-----------------------------------

             Summary: Extend Kafka kerberos auth support to beyond only hostname
                 Key: KAFKA-13894
                 URL: https://issues.apache.org/jira/browse/KAFKA-13894
             Project: Kafka
          Issue Type: Improvement
            Reporter: Yiming Zang


{*}Problem{*}:

Currently Kafka client only support using the Kafka broker hostname in the 
kerberos authentication process ([Source 
Code|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L231]).

However, not all companies support per-host based keytabs. It is a common 
practice that a keytabs which contains a shared identity name is used instead. 
To support this kind of Kerberos set ups, we need to make some changes to make 
Kafka support a customized service name apart from just using the hostname for 
authentication.

{*}Proposal{*}:

To address this issue, we propose to add an extra client side configuration for 
Kerberos authentication. If user provide that configuration, we will use 
whatever is provided to replace the hostname, otherwise we will default back to 
use hostnames. Here's an example:

 
{code:java}
String kerberosServiceNameFromConfig = 
(String)configs.get(SaslConfigs.SASL_KERBEROS_SERVICE_NAME);

String hostnameOrServiceName = (kerberosServiceNameFromConfig == null || 
kerberosServiceNameFromConfig.trim().isEmpty()) ? 
socket.getInetAddress().getHostName() : kerberosServiceNameFromConfig;

authenticatorCreator = () -> buildClientAuthenticator(configs,
  saslCallbackHandlers.get(clientSaslMechanism),
  id,
  hostnameOrServiceName,
  loginManager.serviceName(),
  transportLayer,
  subjects.get(clientSaslMechanism));{code}
 

 

 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)