Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to enable Kafka Authorization/ACL without Kerberos with SSL Configuration

Labels (1)
Labels:
avatar
mvanam author-rank
Cloudera Employee

Created on ‎11-27-2018 03:59 PM

Steps:

  • When configuring a Kafka broker to use only SSL, you can have authentication and encryption by enabling 2-ways SSL by using parameter ssl.client.auth=required.
  • Go to Ambari > Kafka > configs > custom Kafka-broker, add ssl.client.auth=required parameter.
  • In this case certificate owner name (subject) works as username & authentication happens with this username. You have to add server certificate owner name from each broker as superuser (usernames separated by semicolon) so that each broker can access resources from other brokers.
Example: In the case of two brokers you need to add two server certificate owner names to superuser.
Go to Ambari > kafka > configs > custom kafka-broker, configure super.users parameter
super.users = User:CN=user1,OU=kafka,O=kafka,L=kafka,ST=kafka,C=xx;User:CN=user2,OU=kafka,O=kafka,L=kafka,ST=kafka,C=xx
  • You can create different client certificates for different users, if client certificate owner name is "CN=kafka,OU=kafka,O=kafka,L=kafka,ST=kafka,C=xx" then you can set your topic ACLs to allow this user to produce/consume data.
  • For producing data you can execute below commands 
    ./kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=<zkhost>:<port> --add  --allow-principal User:"CN=kafka,OU=kafka,O=kafka,L=kafka,ST=kafka,C=xx"  --cluster --producer --topic test
./kafka-console-producer.sh --broker-list <broker>:<port> --topic test --producer.config <client-ssl-path>/client-ssl.properties  --security-protocol SSL
  • client-ssl.properties: 
    security.protocol=SSL
ssl.truststore.location=<client.truststore.jks>
ssl.truststore.password=<truststore-password>
ssl.keystore.location=<client.keystore.jks>
ssl.keystore.password=<keystore-password>
ssl.key.password=<key-password>
  • For Consuming data you can execute below commands 
    ./kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=<zkhost>:<port> --add  --allow-principal User:"CN=kafka,OU=kafka,O=kafka,L=kafka,ST=kafka,C=xx"  --group=* --consumer --topic test
./kafka-console-consumer.sh --bootstrap-server <broker>:<port> --topic test --security-protocol SSL --consumer.config <client-ssl-path>/client-ssl.properties --from-beginning
  • If Username contains any other attribute apart from (CN, L, ST, O, OU, C, STREET), it will be emitted as Object Identifier (OID) which is difficult to identify. So you can implement CustomPrincipalBuilder class by implementing PrincipalBuilder Interface just to extract the simple username from certificate owner name.
    • Build the custom jar & copy the jar to <kafka-broker>/libs/ folder in all brokers
    • Configure below parameter in Ambari > kafka > configs > custom kafka-broker to load the custom class
    • principal.builder.class=kafka.security.auth.CustomPrincipalBuilder
    • 5,808 Views
    Announcements
    Product Announcements
    [ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
    What's New @ Cloudera
    Cloudera Operational Database (COD) supports enhancements to...
    Community Announcements
    March 2024 Community Highlights
    Community Announcements
    Celebrating 100,000 Members: A Journey of Growth and Connect...
    Product Announcements
    [ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
    View More Announcements
    Version history
    Last update:
    ‎11-27-2018 03:59 PM
    Updated by:
    Cloudera Employee
    Contributors