Hi Jonathan,

Thank you for the KIP.

I think you are proposing that we always do this (i.e. no option to turn it
off). If you have a private and public DNS name, at the moment, if SSL
certs and keytabs contain the only public DNS name and the bootstrap
servers and advertised listeners are configured to use that name,
everything works fine. With the proposed changes in the KIP, the client
would add the private name as well to the bootstrap servers. So if a
connection is made to the private name, that would result in an
authentication exception.

Also I think you are suggesting that we update bootstrap servers to be the
alias plus any other hostnames obtained from DNS lookup. This means that
connections using the alias would fail with authentication exception. We do
not retry in the case of authentication exceptions (and it makes it hard to
diagnose security issues if we start expecting some authentication failures
to be ok).


On Wed, Dec 6, 2017 at 10:43 AM, Stephane Maarek <
steph...@simplemachines.com.au> wrote:

> Hi Jonathan
>
> I think this will be very useful. I reported something similar here :
> https://issues.apache.org/jira/browse/KAFKA-4781
>
> Please confirm your kip will address it ?
>
> Stéphane
>
> On 6 Dec. 2017 8:20 pm, "Skrzypek, Jonathan" <jonathan.skrzy...@gs.com>
> wrote:
>
> > True, amended the KIP, thanks.
> >
> > Jonathan Skrzypek
> > Middleware Engineering
> > Messaging Engineering
> > Goldman Sachs International
> >
> >
> > -----Original Message-----
> > From: Tom Bentley [mailto:t.j.bent...@gmail.com]
> > Sent: 05 December 2017 18:19
> > To: dev@kafka.apache.org
> > Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections
> >
> > Hi Jonathan,
> >
> > It might be worth mentioning in the KIP that this is necessary only for
> > *Kerberos* on SASL, and not other SASL mechanisms. Reading the JIRA it
> > makes sensem, but I was confused up until that point.
> >
> > Cheers,
> >
> > Tom
> >
> > On 5 December 2017 at 17:53, Skrzypek, Jonathan <
> jonathan.skrzy...@gs.com>
> > wrote:
> >
> > > Hi,
> > >
> > > I would like to discuss a KIP I've submitted :
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_
> > > confluence_display_KAFKA_KIP-2D&d=DwIBaQ&c=7563p3e2zaQw0AB1wrFVgyagb2I
> > > E5rTZOYPxLxfZlX4&r=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E&m=GWKXA
> > > ILbqxFU2j7LtoOx9MZ00uy_jJcGWWIG92CyAuc&s=fv5WAkOgLhVOmF4vhEzq_39CWnEo0
> > > q0AJbqhAuDFDT0&e= 235%3A+Add+DNS+alias+support+for+secured+connection
> > >
> > > Feedback and suggestions welcome !
> > >
> > > Regards,
> > > Jonathan Skrzypek
> > > Middleware Engineering
> > > Messaging Engineering
> > > Goldman Sachs International
> > > Christchurch Court - 10-15 Newgate Street London EC1A 7HD
> > > Tel: +442070512977
> > >
> > >
> >
>

Reply via email to