-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SASL Authentication #105
Comments
Do you know of a good online resource/tutorial for setting up SASL authentication on brokers? If I can configure it locally I can likely work out how to include it in the app. |
@Crim - I can help with this. What distro of Kafka you need? (Apache/Horotonworks/Cloudera/Confluent)... This is a good doc which covers all vendor distros... Probably you need to setup a KDC, if you don't have one already. |
just standard Apache's Kafka, or whatever is easiest to get up and going really. Thanks! |
Glad to hear, it would be great! As far as SASL is concerned - it's quite a simple thing when you get it, so I can describe it here. To setup SASL authentification in a kafka cluster you shoul fulfill several steps:
Now in details:
add this at config/zookeeper.properies
make jaas file, for example config/jaas_zookeeper.conf with lines
pass JVM a special param, in linux you can do it this way:
and run zookeeper
modify or add this properies at config/server.properies
make jaas file, for example config/jaas_kafka_server.conf with lines
pass JVM a special param, in linux you can do it this way:
and run kafka broker
make config/client.properties and add this
make jaas file, for example config/jaas_kafka_client.conf with lines
pass JVM a special param, in linux you can do it this way:
and run producer
run consumer
So after all kafka broker connects to Zookeper using Client data in jaas file (it must correspond to zookeeper Server jaas data) and consumers and producers connect to broker using KafkaClient jaas data (it must correspond to KafkaServer authentication data) And don't forget to replace "/home/nkm/apps/kafka_2.11-2.0.0" with your own kafka directory) |
That worked a treat @nadeevkm Thanks a ton! I'll poke around this weekend and get this working in the webapp. |
Looks Great. We Use GSSAPI(Kerberos) with SSL as SASL_SSL. So It should also take path to trust store and its password in SSL Settings(when no ssl auth). Also, it should ask for Kafka security protocol options as - PLAINTEXT/SASL_PLAINTEXT/SASL_SSL/SSL. |
SASL JAAS Config (only applies to SASL based security) - used for yahoo kafka managercom.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=false principal="user@HADOOP.COM" useKeyTab=true serviceName="kafka" keyTab="/home/user/user.keytab" client=true; here is the jaas.conf file that clients usesKafkaClient { Client { |
Just to make sure I'm understanding correctly....since the app already supports PLAINTEXT and SSL, when I add SASL support,
This sounds correct? |
@Crim yes you are right. One thing to point out is when we have SASL_SSL; we just use truststore(no ssl Auth - so keystore is not needed). |
Good to know! |
I've published a new release that should support this. Thanks! |
Thank you very much for your work! I'll check It in a few days! |
Thanks @Crim. when we have SASL auth, we dont need SSL auth; can you check on this; for SASL_SSL we just need SASL conf and SSL truststore. |
I am able to setup with SASL. I can use it. But, i am getting below error in Cluster Broker View: Error: org.apache.kafka.common.errors.UnsupportedVersionException: The broker does not support DESCRIBE_CONFIGS |
Sounds like when SASL is enabled, there's no need for the keystore and associated password? |
Thanks @Crim . Yes, when SASL is enabled no need of keystore details. |
created issue #116 to deal with no longer requiring a KEYSTORE in this scenario and closing out this ticket. Thanks! |
Greeting! Is it possible to use kafka-webview with a cluster with a SASL authenticaton? In simple console consumer I can do this by just passing jaas conf(with login/password) file as JVM argument like
export KAFKA_OPTS="-Djava.security.auth.login.config=/home/nkm/Apps/kafka_2.11-2.0.0/config/jaas_client.conf"
and consumer.property file with lines
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
as cmd arguments, like..
bin/kafka-console-consumer.sh --bootstrap-server localhost:9029092 --topic test_topic --from-beginning --consumer.config config/consumer.properties
The text was updated successfully, but these errors were encountered: