Skip to content
This repository has been archived by the owner on Dec 11, 2023. It is now read-only.
/ kafka-plain-saslserver-2-ad Public archive

Enhancing Kafka security, PlainSaslServer with LDAP binding and SimpleAclAuthorizer with LDAP group membership

License

MIT license
20 stars 21 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

navikt/kafka-plain-saslserver-2-ad

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

93 Commits
gradle/wrapper
gradle/wrapper
 
 
src
src
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
CODEOWNERS
CODEOWNERS
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.gradle
build.gradle
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 
settings.gradle
settings.gradle
 
 

Repository files navigation

kafka-plain-saslserver-2-ad

Warning

This project is not used by NAV anymore and is thus not maintained. Feel free to create a fork.

Build Status Docker Build Status Docker Automated build

Enhancing kafka 2.x with

  • customized SimpleLDAPAuthentication using LDAPS simple bind for authentication
  • customized SimpleACLAuthorizer using LDAPS compare-matched for group membership verification

Thus, moving authentication from user and passwords in JAAS context file on kafka brokers to LDAP server

By defining Read/Write allowance with LDAP groups, authorization is moved from Zookeeper Access Control Lists to group membership verification.

Binding and group membership information is cached (limited lifetime after write), giving minor performance penalty and reduced LDAPS traffic.

Tools

  • Kotlin
  • Gradle build tool
  • Spek test framework

Components

  1. Unboundid LDAP SDK for LDAPS interaction
  2. Caffeine Cache
  3. YAML Configuration for LDAP baseDN for users, groups and more. See src/test/resources/ldapconfig.yaml for details

Observe that the directory hosting yaml configuration file must be in CLASSPATH.

Kafka configuration examples

JAAS context file on Kafka broker use the standard class for plain login module during authentication

KafkaServer{
org.apache.kafka.common.security.plain.PlainLoginModule required
username="x"
password="y";
};

Example of Kafka server.properties for using the customized classes for authentication and authorization. The example focus on minimum configuration only (sasl plaintext). A production environment utilize plain with TLS.

...
listeners=SASL_PLAINTEXT://localhost:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN 

listener.name.sasl_plaintext.plain.sasl.server.callback.handler.class=no.nav.common.security.authentication.SimpleLDAPAuthentication
authorizer.class.name=no.nav.common.security.authorization.SimpleLDAPAuthorizer
...

Using the docker image

The docker image can't currently be used standalone, the Dockerfile is supposed to be extended by adding the config file /etc/kafka/ldapconfig.yaml and the jaas configuration /etc/kafka/kafka_server_jaas.conf, examples of these config files can be found in NAVs kafka docker compose project

Testing

Use of Unboundid in-memory LDAP server for all test cases.

Tested on confluent.io version 5.x (related to apache kafka 2.x)

See Confluent Open Source distribution in order to test locally.

The related Wiki has a detailed guide for local testing.

Build

./gradlew clean build
./gradlew shadowJar

The result is kafka-plain-salserver-2-ad-2.0_<version>.jar hosting authentication and authorization classes.

Observe that the directory hosting the given JAR file must be in CLASSPATH.

About

Enhancing Kafka security, PlainSaslServer with LDAP binding and SimpleAclAuthorizer with LDAP group membership

Topics

kafka integrasjon

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

20 stars

Watchers

10 watching

Forks

21 forks
Report repository

Releases

1 tags

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages