Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
0.10.1.1
-
None
-
None
-
None
Description
We have a Kafka cluster and each broker advertises its hostname
e.g.
kafka1.example.com
kafka2.example.com
kafka3.example.com
We have an SSL certificate for *.example.com and we have SASL principals for kafka/kafka[1,2,3].example.com
All works well using SASL_SSL if we set the bootstrap servers as kafka1.example.com:9095,kafka2.example.com:9095,kafka3.example.com:9095
As soon as we set the bootstrap server as localhost:9095, it doesn't work. Kerberos can't authenticate.
Also, we like to have one CNAME that points to all the brokers in a round robin fashion, say kafka.example.com. In that case, if we use kafka.example.com:9095 as our bootstrap, we get a Server not found in Kerberos database error as it tries to look up kafka.example.com
I think Kafka communicates its advertised hostname after the handshake (SASL / SSL) is done, which is a problem in our case.
Would it be beneficial that on connection opening (on any port), Kafka first sends its advertised hostname. Then the SASL / SSL protocols use that advertised hostname as a starting point to do the authentication, etc?