[ https://issues.apache.org/jira/browse/KAFKA-2675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14973366#comment-14973366 ]
Ismael Juma commented on KAFKA-2675: ------------------------------------ [~harsha_ch], I had a look at implementing SASL_KAFA_SERVER_REALM and it's unclear how this is meant to be used. Let's use the ZooKeeper code (which is quite similar to ours) as an example since it has the equivalent `zookeeper.server.realm` property: {code} final KerberosName clientKerberosName = new KerberosName(clientPrincipal.getName()); // assume that server and client are in the same realm (by default; unless the system property // "zookeeper.server.realm" is set). String serverRealm = System.getProperty("zookeeper.server.realm",clientKerberosName.getRealm()); KerberosName serviceKerberosName = new KerberosName(servicePrincipal+"@"+serverRealm); final String serviceName = serviceKerberosName.getServiceName(); final String serviceHostname = serviceKerberosName.getHostName(); final String clientPrincipalName = clientKerberosName.toString(); try { saslClient = Subject.doAs(subject,new PrivilegedExceptionAction<SaslClient>() { public SaslClient run() throws SaslException { LOG.info("Client will use GSSAPI as SASL mechanism."); String[] mechs = {"GSSAPI"}; LOG.debug("creating sasl client: client="+clientPrincipalName+";service="+serviceName+";serviceHostname="+serviceHostname); SaslClient saslClient = Sasl.createSaslClient(mechs,clientPrincipalName,serviceName,serviceHostname,null,new ClientCallbackHandler(null)); return saslClient; } }); return saslClient; } {code} So, the server realm is used to create the `KerberosName`, but then it seems to be ignored and only `getServiceName()` and `getHostName()` are used. It seems to me that one could use any value for `serverRealm` and it would have no effect on the parameters passed to `Sasl.createSaslClient`. Am I missing something? > SASL/Kerberos follow-up > ----------------------- > > Key: KAFKA-2675 > URL: https://issues.apache.org/jira/browse/KAFKA-2675 > Project: Kafka > Issue Type: Sub-task > Components: security > Reporter: Ismael Juma > Assignee: Ismael Juma > Fix For: 0.9.0.0 > > > This is a follow-up to KAFKA-1686. > 1. Decide on `serviceName` configuration: do we want to keep it in two places? > 2. auth.to.local config name is a bit opaque, is there a better one? > 3. Implement or remove SASL_KAFKA_SERVER_REALM config > 4. Consider making Login's thread a daemon thread > 5. Write test that shows authentication failure due to invalid user > 6. Write test that shows authentication failure due to wrong password > 7. Write test that shows authentication failure due ticket expiring -- This message was sent by Atlassian JIRA (v6.3.4#6332)