Wouldn't you use TLS to secure the connections? Encrypting just the credentials but not the connection seems brave.
Andrew From: Dave Ariens <dari...@blackberry.com> To: "dev@kafka.apache.org" <dev@kafka.apache.org> Date: 10/12/2015 15:43 Subject: RE: Interacting with a secured Kafka cluster via GSS-API > Is there a reason why you are using GSS-API directly instead of via SASL? There sure is--because I have no clue what I'm doing :) Our Kafka 0.9.0 cluster is currently only configured for SASL_PLAINTEXT so we're not encrypting anything at the moment. I'll take a look through SaslClientAuthenticator and try and come back with either confirmation that everything is working as expected (hopefully) or at least more intelligent questions... Thanks! ________________________________________ From: isma...@gmail.com [isma...@gmail.com] on behalf of Ismael Juma [ism...@juma.me.uk] Sent: Thursday, December 10, 2015 10:36 AM To: dev@kafka.apache.org Subject: Re: Interacting with a secured Kafka cluster via GSS-API Hi Dave, Is there a reason why you are using GSS-API directly instead of via SASL? It should still work, but if you do the latter, you can potentially reuse the existing code (or at least use it as inspiration), see `org.apache.kafka.common.security.authenticator.SaslClientAuthenticator`. Also, please keep in mind that we are only using SASL for authentication and that to encrypt the communication, you have to use SASL_SSL (ie we don't support the SASL confidentiality QOP, for example). I hope this helps. Ismael Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
