[PR] KAFKA-15814 Patched the SASL/GSSAPI server construction [kafka]

Mon, 13 Nov 2023 10:00:54 -0800 


piotrsmolinski opened a new pull request, #14748:
URL: https://github.com/apache/kafka/pull/14748

   The patch fixes how the SASL/GSSAPI server is created in Kafka brokers. 
   As described in the JIRA ticket, Kafka forces client JAAS configuration for 
both client and server side.
   This patch removes the constraint and allows to accept authentication 
addressed at different hosts.
   If the listener is used for the inter-broker communication, it must stay in 
the current form.
   
   Assume that Kafka cluster is accessible using `CLIENT` listener that each 
broker is accessible at `b-N.kafka.sample.home.arpa:9092` (N is broker id). For 
convenience the bootstrap uses load balanced endpoint 
`kafka.sample.home.arpa:9092`  that distributes the traffic to the active 
brokers.
   
   After this patch it is possible to configure the listener's JAAS 
configuration to use wildcard principal:
   
   ```
   
listener.name.client.gssapi.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule
 required
     useKeyTab=true
     storeKey=true
     keyTab="/etc/kafka/security/kafka.keytab"
     principal="*"
     isInitiator=false
   ; 
   ```
   
   The goal of this patch is to enable wildcard principal and acceptor-only 
mode (isInitiator=false).
   
   The keytab must contain entries for SPNs on all acceptable service FQDNs, 
i.e. on broker 0 we must have entries for both 
`kafka/kafka.sample.home.arpa@DOMAIN` and 
`kafka/b-0.kafka.sample.home.arpa@DOMAIN`.
   
   The patch does not change behavior of the existing configurations.
   
   For this patch the only reasonable testing strategy is manual one. That's 
the reason that even if the solution was already known 3 years ago, the code 
has not been submitted.
   
   Any ideas for automated testing of this change are warmly welcome.
   
   The comparison for various ways to configure SASL:
   
   
https://github.com/piotrsmolinski/kerberos-sandbox/blob/main/src/test/java/io/confluent/sandbox/kerberos/KerberosTest.java
   
   ### Committer Checklist (excluded from commit message)
   - [x] Verify design and implementation 
   - [x] Verify test coverage and CI build status
   - [x] Verify documentation (including upgrade notes)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to