search

cerner / cerner_kafka

A Kafka Cookbook for Chef
Apache License 2.0
30 stars 25 forks source link

Support for Kerberos SASL authentication #56

Closed noslowerdna closed 7 years ago

noslowerdna commented 7 years ago

As described at http://docs.confluent.io/3.0.0/kafka/sasl.html#sasl-configuration-for-kafka-brokers GSSAPI (Kerberos) authentication is supported as of Kafka 0.9. In addition to a variety of configuration properties that must be set to enable this, a special JAAS configuration file must be created and provided with the -Djava.security.auth.login.config JVM parameter. The cookbook can manage the creation of the configuration file and setting this parameter.

Broker configuration is considered out of scope for this feature and should be set separately. Relevant properties could include:

listeners
sasl.enabled.mechanisms
sasl.kerberos.kinit.cmd
sasl.kerberos.min.time.before.relogin
sasl.kerberos.principal.to.local.rules
sasl.kerberos.service.name
sasl.kerberos.ticket.renew.jitter
sasl.kerberos.ticket.renew.window.factor
sasl.mechanism.inter.broker.protocol
security.inter.broker.protocol
bbaugher commented 7 years ago

This would also need to extend to the offset monitor as it can pull data out of kafka to read kafka stored offsets

noslowerdna commented 7 years ago

This would also need to extend to the offset monitor as it can pull data out of kafka to read kafka stored offsets

As the offset monitor is still using the old Kafka 0.8 consumer that does not support Kerberos SASL, until https://github.com/quantifind/KafkaOffsetMonitor/issues/79 is addressed a plaintext listener port would still need to be opened if using the offset monitor service along with this feature, similar to the approach for schema registry and REST proxy services that is documented at http://docs.confluent.io/3.0.1/kafka/platform-security.html

bbaugher commented 7 years ago

Done in #57