Minor Description
When using SASL_SSL, the Kafka client performs a reverse DNS lookup to resolve IP to DNS. So, this circumvent the security fix made in KAFKA-5051.
This is the line of code from AK 2.2 where it performs the lookup:
Following log messages show that consumer initially tried to connect with IP address 10.0.2.15. Then suddenly it created SaslClient with a hostname:
[2019-06-18 06:23:36,486] INFO Kafka commitId: 00d486623990ed9d (org.apache.kafka.common.utils.AppInfoParser) [2019-06-18 06:23:36,487] DEBUG [Consumer clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] Kafka consumer initialized (org.apache.kafka.clients.consumer.KafkaConsumer) [2019-06-18 06:23:36,505] DEBUG [Consumer clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] Initiating connection to node 10.0.2.15:19094 (id: -1 rack: null) using address /10.0.2.15 (org.apache.kafka.clients.NetworkClient) [2019-06-18 06:23:36,512] DEBUG Set SASL client state to SEND_APIVERSIONS_REQUEST (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator) [2019-06-18 06:23:36,515] DEBUG Creating SaslClient: client=null;service=kafka;serviceHostname=quickstart.confluent.io;mechs=[PLAIN] (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
Thanks
Badai
Attachments
Issue Links
- duplicates
-
KAFKA-7188 Avoid reverse DNS lookup in SASL channel builder
-
- Resolved
-
-
KAFKA-12769 Backport of KAFKA-8562
-
- Resolved
-
- links to