lh0156 opened a new pull request, #22568: URL: https://github.com/apache/kafka/pull/22568
### Summary This patch avoids a broker-side reverse DNS lookup when creating Kafka's built-in non-GSSAPI `SaslServer` instances. The blocking path reported in KAFKA-19919 is: `KafkaChannel.prepare()` -> `SaslServerAuthenticator#createSaslServer()` -> `serverAddress().getHostName()` `InetAddress#getHostName()` may perform a reverse DNS lookup on the network thread during connection preparation. ### Change For Kafka's built-in non-GSSAPI server mechanisms: - `PLAIN` - `SCRAM-SHA-256` - `SCRAM-SHA-512` - `OAUTHBEARER` the `Sasl.createSaslServer` `serverName` argument is now passed as `null`, using Java SASL's unbound server-name form. Kafka's built-in server implementations for these mechanisms do not use the `serverName` argument. The GSSAPI/Kerberos path is unchanged because it derives the service host from the Kerberos service principal. Custom non-GSSAPI mechanisms are also left on the existing path and continue to receive `serverAddress().getHostName()`. ### Tests Added focused coverage in `SaslServerAuthenticatorTest` for: - built-in non-GSSAPI mechanisms using an unbound `serverName` - built-in non-GSSAPI creation not reading the socket local address - custom non-GSSAPI mechanisms preserving the existing hostname behavior Verified locally with: ```bash ./gradlew clients:test --tests org.apache.kafka.common.security.authenticator.SaslServerAuthenticatorTest ``` Result: ```text BUILD SUCCESSFUL ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
