Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How to enable Kafka Authorization/ACL without Kerberos with SSL Configuration

Labels (1)
Labels:
avatar
mvanam author-rank
Cloudera Employee

Created on ‎11-27-2018 03:59 PM

Steps:

  • When configuring a Kafka broker to use only SSL, you can have authentication and encryption by enabling 2-ways SSL by using parameter ssl.client.auth=required.
  • Go to Ambari > Kafka > configs > custom Kafka-broker, add ssl.client.auth=required parameter.
  • In this case certificate owner name (subject) works as username & authentication happens with this username. You have to add server certificate owner name from each broker as superuser (usernames separated by semicolon) so that each broker can access resources from other brokers.
Example: In the case of two brokers you need to add two server certificate owner names to superuser.
Go to Ambari > kafka > configs > custom kafka-broker, configure super.users parameter
super.users = User:CN=user1,OU=kafka,O=kafka,L=kafka,ST=kafka,C=xx;User:CN=user2,OU=kafka,O=kafka,L=kafka,ST=kafka,C=xx
  • You can create different client certificates for different users, if client certificate owner name is "CN=kafka,OU=kafka,O=kafka,L=kafka,ST=kafka,C=xx" then you can set your topic ACLs to allow this user to produce/consume data.
  • For producing data you can execute below commands 
    ./kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=<zkhost>:<port> --add  --allow-principal User:"CN=kafka,OU=kafka,O=kafka,L=kafka,ST=kafka,C=xx"  --cluster --producer --topic test
./kafka-console-producer.sh --broker-list <broker>:<port> --topic test --producer.config <client-ssl-path>/client-ssl.properties  --security-protocol SSL
  • client-ssl.properties: 
    security.protocol=SSL
ssl.truststore.location=<client.truststore.jks>
ssl.truststore.password=<truststore-password>
ssl.keystore.location=<client.keystore.jks>
ssl.keystore.password=<keystore-password>
ssl.key.password=<key-password>
  • For Consuming data you can execute below commands 
    ./kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=<zkhost>:<port> --add  --allow-principal User:"CN=kafka,OU=kafka,O=kafka,L=kafka,ST=kafka,C=xx"  --group=* --consumer --topic test
./kafka-console-consumer.sh --bootstrap-server <broker>:<port> --topic test --security-protocol SSL --consumer.config <client-ssl-path>/client-ssl.properties --from-beginning
  • If Username contains any other attribute apart from (CN, L, ST, O, OU, C, STREET), it will be emitted as Object Identifier (OID) which is difficult to identify. So you can implement CustomPrincipalBuilder class by implementing PrincipalBuilder Interface just to extract the simple username from certificate owner name.
    • Build the custom jar & copy the jar to <kafka-broker>/libs/ folder in all brokers
    • Configure below parameter in Ambari > kafka > configs > custom kafka-broker to load the custom class
    • principal.builder.class=kafka.security.auth.CustomPrincipalBuilder
    • 6,626 Views
    Announcements
    What's New @ Cloudera
    [RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
    What's New @ Cloudera
    [RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
    Community Announcements
    February 2025 Community Highlights
    What's New @ Cloudera
    3 Benefits of External IDE Connectivity, Now Available in Cl...
    What's New @ Cloudera
    Performance comparison of Spark3 on YARN with S3 Standard VS...
    View More Announcements
    Version history
    Last update:
    ‎11-27-2018 03:59 PM
    Updated by:
    Cloudera Employee
    Contributors