Badai Aqrandista created KAFKA-8562:
---------------------------------------
Summary: SASL_SSL still performs reverse DNS lookup despite
KAFKA-5051
Key: KAFKA-8562
URL: https://issues.apache.org/jira/browse/KAFKA-8562
Project: Kafka
Issue Type: Bug
Reporter: Badai Aqrandista
When using SASL_SSL, the Kafka client performs a reverse DNS lookup to resolve
IP to DNS. So, this circumvent the security fix made in KAFKA-5051.
This is the line of code from AK 2.2 where it performs the lookup:
https://github.com/apache/kafka/blob/2.2.0/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L205
Following log messages show that consumer initially tried to connect with IP
address 10.0.2.15. Then suddenly it created SaslClient with a hostname:
{code:java}
[2019-06-18 06:23:36,486] INFO Kafka commitId: 00d486623990ed9d
(org.apache.kafka.common.utils.AppInfoParser)
[2019-06-18 06:23:36,487] DEBUG [Consumer clientId=KafkaStore-reader-_schemas,
groupId=schema-registry-10.0.2.15-18081] Kafka consumer initialized
(org.apache.kafka.clients.consumer.KafkaConsumer)
[2019-06-18 06:23:36,505] DEBUG [Consumer clientId=KafkaStore-reader-_schemas,
groupId=schema-registry-10.0.2.15-18081] Initiating connection to node
10.0.2.15:19094 (id: -1 rack: null) using address /10.0.2.15
(org.apache.kafka.clients.NetworkClient)
[2019-06-18 06:23:36,512] DEBUG Set SASL client state to
SEND_APIVERSIONS_REQUEST
(org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
[2019-06-18 06:23:36,515] DEBUG Creating SaslClient:
client=null;service=kafka;serviceHostname=quickstart.confluent.io;mechs=[PLAIN]
(org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
{code}
Thanks
Badai
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
