I've trying to setup a cluster by https://docs.confluent.io/platform/current/security/security_tutorial.html with SSL keys and username/password like it is described.
But failed to find a proper way to set up a dname of a key and broker's parameter "super.users"
Its told to create a key with:
# Without user prompts, pass command line arguments keytool -keystore kafka.server.keystore.jks -alias localhost -keyalg RSA -validity {validity} -genkey -storepass {keystore-pass} -keypass {key-pass}
-dname {distinguished-name} -ext SAN=DNS:{hostname}
And later on with configuring broker's server.properties we need to setup a super.users:
Because this tutorial configures the inter-broker security protocol as SSL, set the super user name to be the distinguished name configured in the broker’s certificate. (See other authorization configuration options).
super.users=User:;User:;User:;User:kafka-broker-metric-reporter
The problem is dname must follow a pattern: "CN=cName, OU=orgUnit, O=org, L=city, S=state, C=countryCode"
Moreover, there is a restriction on CN for kafka: it must be equal SAN FQDN setting.
So, a question is:
in case we have a localhost and setting up cluster with single broker, should we set dname for key like "CN=localhost" and the command will be:
keytool -keystore kafka.server.keystore.jks -alias localhost -genkey
-dname "CN=localhost" -ext SAN=DNS:localhost
and then have in server.properties entry:
super.users=User:CN=localhost
?
And if it true, the second question: In case we still have a localhost and setting up a 2 separate brokers there. So, we will have a same dname?
