[jira] [Commented] (KAFKA-8562) SASL_SSL still performs reverse DNS lookup despite KAFKA-5051

2019-08-27 Thread Rajini Sivaram (Jira) 


[ 
https://issues.apache.org/jira/browse/KAFKA-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916481#comment-16916481
 ] 

Rajini Sivaram commented on KAFKA-8562:
---

This is a duplicate of https://issues.apache.org/jira/browse/KAFKA-7188

> SASL_SSL still performs reverse DNS lookup despite KAFKA-5051
> -
>
> Key: KAFKA-8562
> URL: https://issues.apache.org/jira/browse/KAFKA-8562
> Project: Kafka
>  Issue Type: Bug
>Reporter: Badai Aqrandista
>Priority: Minor
>
> When using SASL_SSL, the Kafka client performs a reverse DNS lookup to 
> resolve IP to DNS. So, this circumvent the security fix made in KAFKA-5051. 
> This is the line of code from AK 2.2 where it performs the lookup:
> https://github.com/apache/kafka/blob/2.2.0/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L205
> Following log messages show that consumer initially tried to connect with IP 
> address 10.0.2.15. Then suddenly it created SaslClient with a hostname:
> {code:java}
> [2019-06-18 06:23:36,486] INFO Kafka commitId: 00d486623990ed9d 
> (org.apache.kafka.common.utils.AppInfoParser)
> [2019-06-18 06:23:36,487] DEBUG [Consumer 
> clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] 
> Kafka consumer initialized (org.apache.kafka.clients.consumer.KafkaConsumer)
> [2019-06-18 06:23:36,505] DEBUG [Consumer 
> clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] 
> Initiating connection to node 10.0.2.15:19094 (id: -1 rack: null) using 
> address /10.0.2.15 (org.apache.kafka.clients.NetworkClient)
> [2019-06-18 06:23:36,512] DEBUG Set SASL client state to 
> SEND_APIVERSIONS_REQUEST 
> (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
> [2019-06-18 06:23:36,515] DEBUG Creating SaslClient: 
> client=null;service=kafka;serviceHostname=quickstart.confluent.io;mechs=[PLAIN]
>  (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
> {code}
> Thanks
> Badai



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

[jira] [Commented] (KAFKA-8562) SASL_SSL still performs reverse DNS lookup despite KAFKA-5051

2019-08-21 Thread Manikumar (Jira) 


[ 
https://issues.apache.org/jira/browse/KAFKA-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16912437#comment-16912437
 ] 

Manikumar commented on KAFKA-8562:
--

Incase of SASL, hostname is used in 
[SaslClientAuthenticator|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L203]
 and 
[SslTransportLayer|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/com]
 instances.
I think incase of SaslClient, broker hostname must match with the hostname in 
`principal/hostname@realm`. So we need to still do DNS lookup to resolve IP to 
DNS.  We can avoid the lookup while building underlyting SslTransportLayer 
instance.

> SASL_SSL still performs reverse DNS lookup despite KAFKA-5051
> -
>
> Key: KAFKA-8562
> URL: https://issues.apache.org/jira/browse/KAFKA-8562
> Project: Kafka
>  Issue Type: Bug
>Reporter: Badai Aqrandista
>Priority: Minor
>
> When using SASL_SSL, the Kafka client performs a reverse DNS lookup to 
> resolve IP to DNS. So, this circumvent the security fix made in KAFKA-5051. 
> This is the line of code from AK 2.2 where it performs the lookup:
> https://github.com/apache/kafka/blob/2.2.0/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L205
> Following log messages show that consumer initially tried to connect with IP 
> address 10.0.2.15. Then suddenly it created SaslClient with a hostname:
> {code:java}
> [2019-06-18 06:23:36,486] INFO Kafka commitId: 00d486623990ed9d 
> (org.apache.kafka.common.utils.AppInfoParser)
> [2019-06-18 06:23:36,487] DEBUG [Consumer 
> clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] 
> Kafka consumer initialized (org.apache.kafka.clients.consumer.KafkaConsumer)
> [2019-06-18 06:23:36,505] DEBUG [Consumer 
> clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] 
> Initiating connection to node 10.0.2.15:19094 (id: -1 rack: null) using 
> address /10.0.2.15 (org.apache.kafka.clients.NetworkClient)
> [2019-06-18 06:23:36,512] DEBUG Set SASL client state to 
> SEND_APIVERSIONS_REQUEST 
> (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
> [2019-06-18 06:23:36,515] DEBUG Creating SaslClient: 
> client=null;service=kafka;serviceHostname=quickstart.confluent.io;mechs=[PLAIN]
>  (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
> {code}
> Thanks
> Badai



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

[jira] [Commented] (KAFKA-8562) SASL_SSL still performs reverse DNS lookup despite KAFKA-5051

2019-08-19 Thread Ismael Juma (Jira) 


[ 
https://issues.apache.org/jira/browse/KAFKA-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16910478#comment-16910478
 ] 

Ismael Juma commented on KAFKA-8562:


cc [~rsivaram] [~omkreddy]

> SASL_SSL still performs reverse DNS lookup despite KAFKA-5051
> -
>
> Key: KAFKA-8562
> URL: https://issues.apache.org/jira/browse/KAFKA-8562
> Project: Kafka
>  Issue Type: Bug
>Reporter: Badai Aqrandista
>Priority: Minor
>
> When using SASL_SSL, the Kafka client performs a reverse DNS lookup to 
> resolve IP to DNS. So, this circumvent the security fix made in KAFKA-5051. 
> This is the line of code from AK 2.2 where it performs the lookup:
> https://github.com/apache/kafka/blob/2.2.0/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L205
> Following log messages show that consumer initially tried to connect with IP 
> address 10.0.2.15. Then suddenly it created SaslClient with a hostname:
> {code:java}
> [2019-06-18 06:23:36,486] INFO Kafka commitId: 00d486623990ed9d 
> (org.apache.kafka.common.utils.AppInfoParser)
> [2019-06-18 06:23:36,487] DEBUG [Consumer 
> clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] 
> Kafka consumer initialized (org.apache.kafka.clients.consumer.KafkaConsumer)
> [2019-06-18 06:23:36,505] DEBUG [Consumer 
> clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] 
> Initiating connection to node 10.0.2.15:19094 (id: -1 rack: null) using 
> address /10.0.2.15 (org.apache.kafka.clients.NetworkClient)
> [2019-06-18 06:23:36,512] DEBUG Set SASL client state to 
> SEND_APIVERSIONS_REQUEST 
> (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
> [2019-06-18 06:23:36,515] DEBUG Creating SaslClient: 
> client=null;service=kafka;serviceHostname=quickstart.confluent.io;mechs=[PLAIN]
>  (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator)
> {code}
> Thanks
> Badai



--
This message was sent by Atlassian Jira
(v8.3.2#803003)