Hi, My company has an Active Directory but I’m not exactly sure what to ask for from them. My current setup and goal is a fully automated kafka cluster, with during each kafka broker boot a DNS name will be created ( kafka-broker-10.example.com for example).
I’m looking into enabling security with SASL / GSSAPI but I have the following questions: 1) Can my Kafka brokers share the same keytab and principal? They live on different hosts though. Basically if that’s not possible, then it will be impossible for me to automatically spin up kafka brokers… 2) In https://kafka.apache.org/documentation/#security_sasl_kerberos, is the {hostname} corresponding to the advertised hostname from Kafka? If so, why can they be all the same in here: https://github.com/confluentinc/cp-docker-images/blob/master/examples/kafka-cluster-sasl/secrets/broker1_jaas.conf ? Otherwise I missed the point of "*Make sure all hosts can be reachable using hostnames* - it is a Kerberos requirement that all your hosts can be resolved with their FQDNs”. 3) Basically by securely storing one set of credentials for kafka and one for zookeeper, I can bring up and down nodes as I please. Do you see any issues with that? Thanks for your help Regards, Stephane
