search

conduktor / kafka-security-manager

Manage your Kafka ACL at scale
https://hub.docker.com/r/simplesteph/kafka-security-manager
MIT License
360 stars 159 forks source link

running without Docker? #26

Closed ctramnitz closed 6 years ago

ctramnitz commented 6 years ago

Could you please document the invocation without Docker? Either my java -jar oder java -cp attempts are wrong or I'm having a Scala version problem...

Thanks!

simplesteph commented 6 years ago

Hi @ctramnitz

I believe it's already documented, are you having issues with these commands? to build:

sbt clean test
sbt universal:stage

To run:

target/universal/stage/bin/kafka-security-manager -Dconfig.file=path/to/config-file.conf

or with environment variables (like docker)

export AUTHORIZER_CLASS=....
export AUTHORIZER_ZOOKEEPER_CONNECT=...
target/universal/stage/bin/kafka-security-manager

And to add authentication to your KSM:

target/universal/stage/bin/kafka-security-manager -Dconfig.file=path/to/config-file.conf -Djava.security.auth.login.config=conf/jaas.conf

where conf/jaas.conf:

Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/etc/kafka/secrets/zkclient1.keytab"
    principal="zkclient/example.com@EXAMPLE.COM";
};

(or whatever your jaas looks like for your zookeeper setup)

Does that help? Otherwise please post the error messages you're getting

ctramnitz commented 6 years ago

That's fine thank you. I just missed that part in the build instructions and was trying to work with the pre-compiled jar from sources like Maven and Sonatype.

simplesteph commented 6 years ago

Oh I see. The jars there are meant if you need to build your own source module and add that to your project Hope you find the project helpful !

ctramnitz commented 6 years ago

Just one more question. Is there an existing config option to just run once instead of continuously run as daemon? i.e. sleep=0? I just want the csv-configured ACLs to be written to Zookeeper (with KSM_READONLY=false) for deployment purposes but not have kafka-security-manager run all the time.

simplesteph commented 6 years ago

This isn't meant for write once type of workflows, but I'll keep this in mind In the meantime, just launch KSM and then stop it. Be aware that's it's not "insert" pattern, it's "apply pattern", so your whole CSV will be what's in Zookeeper in the end

simplesteph commented 6 years ago

@ctramnitz if you want to add these functionalities, please do a PR and I'll gladly look at it