search

bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
9.02k stars 9.22k forks source link

[Bitnami/Kafka] Implementing SASL_PLAINTEXT #4834

Closed Lagri closed 3 years ago

Lagri commented 3 years ago

Hi. I want to enable ACL authentication and authorization in kafka. So that user bob cannot consume messages in the test topic. These are the steps I passed: 1) Install zookeeper helm install zookeeper bitnami/zookeeper --namespace myzoo --set replicaCount=3 --set persistence.size=30Gi --set persistence.dataLogDir.size=30Gi

2) Install kafka: helm install kafka bitnami/kafka --set zookeeper.enabled=false --set replicaCount=3 --set externalZookeeper.servers=zookeeper.myzoo.svc.cluster.local --set deleteTopicEnable=false --set autoCreateTopicsEnable=false --set persistence.size=60Gi --set logPersistence.size=60Gi --set auth.clientProtocol=sasl --set auth.saslMechanisms=plain --set allowPlaintextListener=true --set auth.jaas.clientUsers[0]=brokeruser --set auth.jaas.clientPasswords[0]=brokerpassword --set auth.jaas.clientUsers[1]=alice --set auth.jaas.clientPasswords[1]=123 --set auth.jaas.clientUsers[2]=bob --set auth.jaas.clientPasswords[2]=987

3) Create test topic: kafka-topics.sh --create --command-config /tmp/client.properties --bootstrap-server kafka.default.svc.cluster.local:9092 --topic test

4) Prevent user bob from reading topic test: kafka-acls.sh --authorizer-properties zookeeper.connect=zookeeper.myzoo.svc.cluster.local:2181 --add --deny-principal User:bob --operation read --topic test

5) On kafka-client1, produce Message01:

kafka-console-producer.sh \
             --producer.config /tmp/client.properties \
             --broker-list kafka-0.kafka-headless.default.svc.cluster.local:9092,kafka-1.kafka-headless.default.svc.cluster.local:9092,kafka-2.kafka-headless.default.svc.cluster.local:9092 \
             --topic test
>Message01

6) On kafka-client2 I consume the test:

kafka-console-consumer.sh \
             --consumer.config /tmp/client.properties \
             --bootstrap-server kafka.default.svc.cluster.local:9092 \
             --topic test \
             --from-beginning

Here instead of getting authorization error, the test topic is read and Message01 is shown.

On kafka-client: client.properties content:

security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN

_kafkajaas.conf content:

KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="alice"
password="123";
};

And On kafka-client2: client.properties content:

security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN

_kafkajaas.conf content:

KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="bob"
password="987";
};

Any help is appreciated

marcosbc commented 3 years ago

Hi @Lagri, thanks for the details. It looks like you are missing authorizer.class.name in your Kafka server.properties file. You can fix that by setting these options when deploying Kafka:

--set 'extraEnvVars[0].name=KAFKA_CFG_AUTHORIZER_CLASS_NAME' --set 'extraEnvVars[0].value=kafka.security.auth.SimpleAclAuthorizer'

I understand this is not the best approach, as there would ideally be a setting in values.yaml for this. If you believe it makes sense, feel free to send a PR and we will help with the review and release. Thanks!

stale[bot] commented 3 years ago

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

stale[bot] commented 3 years ago

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.