I agree that if there are hostnames in the list which don't correspond to any principal, then the connection will fail, but that's the way the SASL authentication with Kerberos works anyways, so we're not breaking anything here I think. This is the current behaviour, if you put 3 FQDNs in bootstrap.servers today and one of them doesn't match, you will get AUTH_FAILED.
"Also I think you are suggesting that we update bootstrap servers to be the alias plus any other hostnames obtained from DNS lookup." The suggested change doesn't "make" bootstrap servers the alias, it will resolve the alias to retrieve all underlying canonical host names, and will put all of them in the list of addresses returned by parseAndValidateAddresses() in ClientUtils. Jonathan Skrzypek Middleware Engineering Messaging Engineering Goldman Sachs International -----Original Message----- From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] Sent: 06 December 2017 12:58 To: dev Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections Sorry, the example I used with public/private DNS is wrong. But there is the general issue of multiple DNS names where only one is added to the keytab/certificate, but all names are added to the bootstrap server list. On Wed, Dec 6, 2017 at 12:06 PM, Rajini Sivaram <rajinisiva...@gmail.com> wrote: > Hi Jonathan, > > Thank you for the KIP. > > I think you are proposing that we always do this (i.e. no option to > turn it off). If you have a private and public DNS name, at the > moment, if SSL certs and keytabs contain the only public DNS name and > the bootstrap servers and advertised listeners are configured to use > that name, everything works fine. With the proposed changes in the > KIP, the client would add the private name as well to the bootstrap > servers. So if a connection is made to the private name, that would > result in an authentication exception. > > Also I think you are suggesting that we update bootstrap servers to be > the alias plus any other hostnames obtained from DNS lookup. This > means that connections using the alias would fail with authentication > exception. We do not retry in the case of authentication exceptions > (and it makes it hard to diagnose security issues if we start > expecting some authentication failures to be ok). > > > On Wed, Dec 6, 2017 at 10:43 AM, Stephane Maarek < > steph...@simplemachines.com.au> wrote: > >> Hi Jonathan >> >> I think this will be very useful. I reported something similar here : >> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.or >> g_jira_browse_KAFKA-2D4781&d=DwIFaQ&c=7563p3e2zaQw0AB1wrFVgyagb2IE5rT >> ZOYPxLxfZlX4&r=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E&m=dZkDmlZ8 >> moKqpbKF8VNczw7mMEEp4T4erNSucDioFd0&s=C57W69bpQR4bqFBGTj3tXbJpYvACIY_ >> -5NUAq5LyrG8&e= >> >> Please confirm your kip will address it ? >> >> Stéphane >> >> On 6 Dec. 2017 8:20 pm, "Skrzypek, Jonathan" >> <jonathan.skrzy...@gs.com> >> wrote: >> >> > True, amended the KIP, thanks. >> > >> > Jonathan Skrzypek >> > Middleware Engineering >> > Messaging Engineering >> > Goldman Sachs International >> > >> > >> > -----Original Message----- >> > From: Tom Bentley [mailto:t.j.bent...@gmail.com] >> > Sent: 05 December 2017 18:19 >> > To: dev@kafka.apache.org >> > Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections >> > >> > Hi Jonathan, >> > >> > It might be worth mentioning in the KIP that this is necessary only >> > for >> > *Kerberos* on SASL, and not other SASL mechanisms. Reading the JIRA >> > it makes sensem, but I was confused up until that point. >> > >> > Cheers, >> > >> > Tom >> > >> > On 5 December 2017 at 17:53, Skrzypek, Jonathan < >> jonathan.skrzy...@gs.com> >> > wrote: >> > >> > > Hi, >> > > >> > > I would like to discuss a KIP I've submitted : >> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.a >> pache.org_ >> > > confluence_display_KAFKA_KIP-2D&d=DwIBaQ&c=7563p3e2zaQw0AB1w >> rFVgyagb2I >> > > E5rTZOYPxLxfZlX4&r=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo >> -E&m=GWKXA >> > > ILbqxFU2j7LtoOx9MZ00uy_jJcGWWIG92CyAuc&s=fv5WAkOgLhVOmF4vhEz >> q_39CWnEo0 >> > > q0AJbqhAuDFDT0&e= >> > > 235%3A+Add+DNS+alias+support+for+secured+connection >> > > >> > > Feedback and suggestions welcome ! >> > > >> > > Regards, >> > > Jonathan Skrzypek >> > > Middleware Engineering >> > > Messaging Engineering >> > > Goldman Sachs International >> > > Christchurch Court - 10-15 Newgate Street London EC1A 7HD >> > > Tel: +442070512977 <+44%2020%207051%202977> >> > > >> > > >> > >> > >
