Details
-
Improvement
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Problem:
Currently Kafka client only support using the Kafka broker hostname in the kerberos authentication process (Source Code).
However, not all companies support per-host based keytabs. It is a common practice that a keytabs which contains a shared identity name is used instead. To support this kind of Kerberos set ups, we need to make some changes to make Kafka support a customized service name apart from just using the hostname for authentication.
Proposal:
To address this issue, we propose to add an extra client side configuration for Kerberos authentication. If user provide that configuration, we will use whatever is provided to replace the hostname, otherwise we will default back to use hostnames. Here's an example:
String kerberosServiceNameFromConfig = (String)configs.get(SaslConfigs.SASL_KERBEROS_SERVICE_NAME); String hostnameOrServiceName = (kerberosServiceNameFromConfig == null || kerberosServiceNameFromConfig.trim().isEmpty()) ? socket.getInetAddress().getHostName() : kerberosServiceNameFromConfig; authenticatorCreator = () -> buildClientAuthenticator(configs, saslCallbackHandlers.get(clientSaslMechanism), id, hostnameOrServiceName, loginManager.serviceName(), transportLayer, subjects.get(clientSaslMechanism));