[jira] [Commented] (KAFKA-8562) SASL_SSL still performs reverse DNS lookup despite KAFKA-5051
[ https://issues.apache.org/jira/browse/KAFKA-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916481#comment-16916481 ] Rajini Sivaram commented on KAFKA-8562: --- This is a duplicate of https://issues.apache.org/jira/browse/KAFKA-7188 > SASL_SSL still performs reverse DNS lookup despite KAFKA-5051 > - > > Key: KAFKA-8562 > URL: https://issues.apache.org/jira/browse/KAFKA-8562 > Project: Kafka > Issue Type: Bug >Reporter: Badai Aqrandista >Priority: Minor > > When using SASL_SSL, the Kafka client performs a reverse DNS lookup to > resolve IP to DNS. So, this circumvent the security fix made in KAFKA-5051. > This is the line of code from AK 2.2 where it performs the lookup: > https://github.com/apache/kafka/blob/2.2.0/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L205 > Following log messages show that consumer initially tried to connect with IP > address 10.0.2.15. Then suddenly it created SaslClient with a hostname: > {code:java} > [2019-06-18 06:23:36,486] INFO Kafka commitId: 00d486623990ed9d > (org.apache.kafka.common.utils.AppInfoParser) > [2019-06-18 06:23:36,487] DEBUG [Consumer > clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] > Kafka consumer initialized (org.apache.kafka.clients.consumer.KafkaConsumer) > [2019-06-18 06:23:36,505] DEBUG [Consumer > clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] > Initiating connection to node 10.0.2.15:19094 (id: -1 rack: null) using > address /10.0.2.15 (org.apache.kafka.clients.NetworkClient) > [2019-06-18 06:23:36,512] DEBUG Set SASL client state to > SEND_APIVERSIONS_REQUEST > (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator) > [2019-06-18 06:23:36,515] DEBUG Creating SaslClient: > client=null;service=kafka;serviceHostname=quickstart.confluent.io;mechs=[PLAIN] > (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator) > {code} > Thanks > Badai -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (KAFKA-8562) SASL_SSL still performs reverse DNS lookup despite KAFKA-5051
[ https://issues.apache.org/jira/browse/KAFKA-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16912437#comment-16912437 ] Manikumar commented on KAFKA-8562: -- Incase of SASL, hostname is used in [SaslClientAuthenticator|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L203] and [SslTransportLayer|https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/com] instances. I think incase of SaslClient, broker hostname must match with the hostname in `principal/hostname@realm`. So we need to still do DNS lookup to resolve IP to DNS. We can avoid the lookup while building underlyting SslTransportLayer instance. > SASL_SSL still performs reverse DNS lookup despite KAFKA-5051 > - > > Key: KAFKA-8562 > URL: https://issues.apache.org/jira/browse/KAFKA-8562 > Project: Kafka > Issue Type: Bug >Reporter: Badai Aqrandista >Priority: Minor > > When using SASL_SSL, the Kafka client performs a reverse DNS lookup to > resolve IP to DNS. So, this circumvent the security fix made in KAFKA-5051. > This is the line of code from AK 2.2 where it performs the lookup: > https://github.com/apache/kafka/blob/2.2.0/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L205 > Following log messages show that consumer initially tried to connect with IP > address 10.0.2.15. Then suddenly it created SaslClient with a hostname: > {code:java} > [2019-06-18 06:23:36,486] INFO Kafka commitId: 00d486623990ed9d > (org.apache.kafka.common.utils.AppInfoParser) > [2019-06-18 06:23:36,487] DEBUG [Consumer > clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] > Kafka consumer initialized (org.apache.kafka.clients.consumer.KafkaConsumer) > [2019-06-18 06:23:36,505] DEBUG [Consumer > clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] > Initiating connection to node 10.0.2.15:19094 (id: -1 rack: null) using > address /10.0.2.15 (org.apache.kafka.clients.NetworkClient) > [2019-06-18 06:23:36,512] DEBUG Set SASL client state to > SEND_APIVERSIONS_REQUEST > (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator) > [2019-06-18 06:23:36,515] DEBUG Creating SaslClient: > client=null;service=kafka;serviceHostname=quickstart.confluent.io;mechs=[PLAIN] > (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator) > {code} > Thanks > Badai -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (KAFKA-8562) SASL_SSL still performs reverse DNS lookup despite KAFKA-5051
[ https://issues.apache.org/jira/browse/KAFKA-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16910478#comment-16910478 ] Ismael Juma commented on KAFKA-8562: cc [~rsivaram] [~omkreddy] > SASL_SSL still performs reverse DNS lookup despite KAFKA-5051 > - > > Key: KAFKA-8562 > URL: https://issues.apache.org/jira/browse/KAFKA-8562 > Project: Kafka > Issue Type: Bug >Reporter: Badai Aqrandista >Priority: Minor > > When using SASL_SSL, the Kafka client performs a reverse DNS lookup to > resolve IP to DNS. So, this circumvent the security fix made in KAFKA-5051. > This is the line of code from AK 2.2 where it performs the lookup: > https://github.com/apache/kafka/blob/2.2.0/clients/src/main/java/org/apache/kafka/common/network/SaslChannelBuilder.java#L205 > Following log messages show that consumer initially tried to connect with IP > address 10.0.2.15. Then suddenly it created SaslClient with a hostname: > {code:java} > [2019-06-18 06:23:36,486] INFO Kafka commitId: 00d486623990ed9d > (org.apache.kafka.common.utils.AppInfoParser) > [2019-06-18 06:23:36,487] DEBUG [Consumer > clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] > Kafka consumer initialized (org.apache.kafka.clients.consumer.KafkaConsumer) > [2019-06-18 06:23:36,505] DEBUG [Consumer > clientId=KafkaStore-reader-_schemas, groupId=schema-registry-10.0.2.15-18081] > Initiating connection to node 10.0.2.15:19094 (id: -1 rack: null) using > address /10.0.2.15 (org.apache.kafka.clients.NetworkClient) > [2019-06-18 06:23:36,512] DEBUG Set SASL client state to > SEND_APIVERSIONS_REQUEST > (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator) > [2019-06-18 06:23:36,515] DEBUG Creating SaslClient: > client=null;service=kafka;serviceHostname=quickstart.confluent.io;mechs=[PLAIN] > (org.apache.kafka.common.security.authenticator.SaslClientAuthenticator) > {code} > Thanks > Badai -- This message was sent by Atlassian Jira (v8.3.2#803003)