Hi, I’m wondering if the official Kafka documentation is misleading. Here ( https://kafka.apache.org/documentation/#security_sasl_brokernotes) you can read:
1. Client section is used to authenticate a SASL connection with zookeeper. It also allows the brokers to set SASL ACL on zookeeper nodes which locks these nodes down so that only the brokers can modify it.* It is necessary to have the same principal name across all brokers.* If you want to use a section name other than Client, set the system property zookeeper.sasl.client to the appropriate name (*e.g.*, -Dzookeeper.sasl.client=ZkClient). And then right here https://kafka.apache.org/documentation/#security_sasl_kerberos_brokerconfig the suggested JAAS file is: // Zookeeper client authentication Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_server.keytab"* principal="kafka/kafka1.hostname....@example.com <kafka1.hostname....@example.com>"; * }; Which in my opinion shows that every broker should have a different principal name to connect to Zookeeper. Is that misleading, or am I missing something? Thanks, Stephane
