This change occurred due to https://issues.apache.org/jira/browse/ZOOKEEPER-2171
On Fri, Nov 17, 2017, at 15:10, Abraham Fine wrote: > Hi Ben- > > What version of ZooKeeper are you using? In my testing it looks like 3.4 > does a reverse lookup when creating the server principal > (https://github.com/apache/zookeeper/blob/branch-3.4/src/java/main/org/apache/zookeeper/ClientCnxn.java#L1011) > but 3.5/master do not > (https://github.com/apache/zookeeper/blob/branch-3.5/src/java/main/org/apache/zookeeper/ClientCnxn.java#L1104). > > > Let me know if that helps. > > Thanks, > Abe > > On Fri, Nov 17, 2017, at 12:01, Ben Wood wrote: > > Hey Folks, > > > > My team and I are working on a containerized Zookeeper service on top of > > DC/OS. We're running into an issue with Kerberos in the following > > scenario. > > > > Simplified, we have a zk server with the DNS address zk-server.dcos (e.g. > > the dns address of the ZK task) and actual hostname zk-server.aws > > (Shortened here, but really a standard resolvable AWS private dns > > address) > > and a kafka broker, kafka.dcos. > > > > We can easily setup our Zookeeper and Kafka services to work together, > > until we try to enable Kerberos. ZK itself works just fine with Kerberos, > > but the Kafka broker is not able to connect to the ZK server: > > > > 0. kafka.dcos is started with a zk server list of zk-server.dcos. > > 1. kafka.dcos starts up, initializing its ZK client. > > 2. kafka.dcos then attempts to retrieve a ticket from the KDC in order to > > talk to zk-server.aws, however the only zk principal known to the kdc is > > zk-server.dcos. > > > > From reading the source ( > > https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/zookeeper/client/StaticHostProvider.java#L112) > > it appears that the zk client is winding up with the actual hostname of > > the > > ZK server. > > > > Being new to the codebase, is this because of a client reverse lookup? Or > > because the zk server is telling the client about its hostname? It > > appears > > to be the former. > > > > Thanks! > > Ben
