Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Kafka cluster with both SASL\GSSAPI and SSL authentication

Kafka cluster with both SASL\GSSAPI and SSL authentication

New Contributor


We have setup HDP cluster with Kafka cluster under Kerberos(Kafka too).

Some Kafka clients is unable to authenticate with kerberos so we added second authentication method - SSL(client certs).

Our settings:

listeners: SASL_PLAINTEXT://,SASL_SSL://,SSL://
advertised.listeners: SASL_PLAINTEXT://localhost:6667,SASL_SSL://localhost:6668,SSL://localhost:6678
ssl.client.auth: required

Brokers startup successfuly after fix HDP/3.0/services/KAFKA/package/scripts/

181 def replace_sasl_related_config(property, only_protocol=False):
182   property = re.sub(r"(^|\b)PLAINTEXTSASL", "SASL_PLAINTEXT", property) if only_protocol else re.sub(r"(^|\b)PLAINTEXTSASL://", "SASL_PLAINTEXT://", property)<br>183   property = re.sub(r"(^|\b)PLAINTEXT", "SASL_PLAINTEXT", property) if only_protocol else re.sub(r"(^|\b)PLAINTEXT://", "SASL_PLAINTEXT://", property)
184   # property = re.sub(r"(^|\b)SSL", "SASL_SSL", property) if only_protocol else re.sub(r"(^|\b)SSL://", "SASL_SSL://", property)
185   return property

Line 184 was commented.

By first look all works as expected:

- Kaka-rest able to auth with kerberos credentials

- simple python script can auth with client SSL cert

- We can manage kafka permissions via Ranger(accept\denied policies works, audit too).

There is no articles about this kind of kafka configuration that's why we afraid to go forward with this configuration.
Does any one have the same setup when client able to auth via kerberos or via ssl cert for the same cluster?
Is there any hidden problems that can we have if will use two auth methods for one cluster?


Don't have an account?
Coming from Hortonworks? Activate your account here