[PR] KAFKA-19919: Avoid reverse DNS for built-in SASL servers [kafka]

Sun, 14 Jun 2026 06:02:38 -0700 


lh0156 opened a new pull request, #22569:
URL: https://github.com/apache/kafka/pull/22569

   ### Summary
   
   This patch avoids a broker-side reverse DNS lookup when creating Kafka's 
built-in non-GSSAPI `SaslServer` instances.
   
   The blocking path reported in KAFKA-19919 is:
   
   `KafkaChannel.prepare()` -> `SaslServerAuthenticator#createSaslServer()` -> 
`serverAddress().getHostName()`
   
   `InetAddress#getHostName()` may perform a reverse DNS lookup on the network 
thread during connection preparation.
   
   ### Change
   
   For Kafka's built-in non-GSSAPI server mechanisms:
   
   - `PLAIN`
   - `SCRAM-SHA-256`
   - `SCRAM-SHA-512`
   - `OAUTHBEARER`
   
   the `Sasl.createSaslServer` `serverName` argument is now passed as `null`, 
using Java SASL's unbound server-name form. Kafka's built-in server 
implementations for these mechanisms do not use the `serverName` argument.
   
   The GSSAPI/Kerberos path is unchanged because it derives the service host 
from the Kerberos service principal. Custom non-GSSAPI mechanisms are also left 
on the existing path and continue to receive `serverAddress().getHostName()`.
   
   ### Tests
   
   Added focused coverage for:
   
   - built-in non-GSSAPI success, null-return, and exception paths
   - multiple enabled mechanisms where the client-selected mechanism is built-in
   - custom non-GSSAPI success, null-return, and exception paths preserving the 
existing hostname behavior
   - GSSAPI/Kerberos success, null-return, exception, missing-principal, and 
invalid-principal paths
   - unsupported SASL mechanism requests
   - direct factory creation with a null `serverName` for PLAIN, SCRAM, and 
OAUTHBEARER
   
   Verified locally with:
   
   ```bash
   ./gradlew clients:test \
     --tests 
org.apache.kafka.common.security.authenticator.SaslServerAuthenticatorTest \
     --tests 
org.apache.kafka.common.security.plain.internals.PlainSaslServerTest \
     --tests 
org.apache.kafka.common.security.scram.internals.ScramSaslServerTest \
     --tests 
org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServerTest
   ```
   
   Result:
   
   ```text
   BUILD SUCCESSFUL
   ```
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to