我试图使用sasl\u ssl和gssapi mecanism保护apachekafka。除了Kafka使用的身份验证名称是“windows 2000之前”格式的名称而不是“标准”的新名称之外，所有的一切都正常工作。
例如，我在active directory中声明了一个新的kafka代理（我忘了说它是windows 10版本……）：
用户登录名：kafka/kafka1.myfqdn。com@myfqdn.com
用户登录名（windows 2000以前的版本）：假用户1

当我使用这个用户keytab登录kafka时，我在日志中有这样的内容：

[2020-11-21 17:05:50,168] INFO Successfully authenticated client: authenticationID=FAKE_USER1@MYFQDN.COM; authorizationID=kafka/kafka1.myfqdn.com@MYFQDN.COM. (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
[2020-11-21 17:09:50,909] INFO [GroupMetadataManager brokerId=1] Removed 0 expired offsets in 0 milliseconds. (kafka.coordinator.group.GroupMetadataManager)
[2020-11-21 17:12:00,672] INFO Successfully authenticated client: authenticationID=FAKE_USER1@MYFQDN.COM; authorizationID=kafka/kafka1.myfqdn.com@MYFQDN.COM. (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
[2020-11-21 17:12:00,772] INFO Successfully authenticated client: authenticationID=FAKE_USER1@MYFQDN.COM; authorizationID=kafka/kafka1.myfqdn.com@MYFQDN.COM. (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
[2020-11-21 17:12:00,799] DEBUG No acl found for resource ResourcePattern(resourceType=CLUSTER, name=kafka-cluster, patternType=LITERAL), authorized = false (kafka.authorizer.logger)
[2020-11-21 17:12:00,799] INFO Principal = User:FAKE_USER1 is Denied Operation = DescribeConfigs from host = xxx.xxx.xxx.xxx on resource = Cluster:LITERAL:kafka-cluster for request = DescribeConfigs with resourceRefCount = 1 (kafka.authorizer.logger)

当然，最后的denied是正常的，因为我的规则期望从kafka/kafka1.myfqdn中提取“kafka”。com@myfqdn.com 用户。
你能告诉我什么我做得不好吗？