Support Questions

Find answers, ask questions, and share your expertise

Kafka: security.inter.broker.protocol can not be set to SASL_SSL, as Kerberos is not enabled

avatar
New Contributor

Hi guys,

 

I have a Kafka cluster and want to enable SASL_SSL without Kerberos.

Is it possible?

 

What I changed in kafka.properties:

 

listeners=PLAINTEXT://kafkatest03.loc:9092, SSL://kafkatest03.loc:9093, SASL_SSL://kafkatest03.loc:9094, SASL_PLAINTEXT://kafkatest03.loc:9095
advertised.listeners=PLAINTEXT://kafkatest03.loc:9092, SSL://kafkatest03.loc:9093, SASL_SSL://kafkatest03.loc:9094, SASL_PLAINTEXT://kafkatest03.loc:9095
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
sasl.enabled.mechanisms=SCRAM-SHA-256
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

ssl.keystore.location=...
ssl.keystore.password.generator=...
ssl.key.password.generator=...
ssl.truststore.location=...
ssl.truststore.password.generator=...

 

Added to broker_java_opts:

 

-Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf

KafkaServer {
    org.apache.kafka.common.security.scram.ScramLoginModule required
    username="admin"
    password="admin";
};

 

 

When I set security.inter.broker.protocol to PLAINTEXT everything is working and client can auth wirh SASL_SSL using SCRAM-SHA-256, but ACL is not working.

 

According to this:

https://github.com/wurstmeister/kafka-docker/issues/218

we need to enable

security.inter.broker.protocol=SASL_SSL, but it throws an error:

 

security.inter.broker.protocol can not be set to SASL_SSL, as Kerberos is not enabled

 

 

 

Thanks

6 REPLIES 6

avatar
New Contributor

Just found the reason here: https://github.com/cloudera/cm_csds/blob/master/KAFKA/src/scripts/control.sh

 

if [[ ${SECURITY_INTER_BROKER_PROTOCOL} == *"SASL"* && ${KERBEROS_AUTH_ENABLED} != "true" ]]; then
        echo "security.inter.broker.protocol can not be set to ${SECURITY_INTER_BROKER_PROTOCOL}, as Kerberos is not enabled on this Kafka broker."
        exit 1
fi

As I correctly understand Kafka brokers can communicate with SASL_SSL without Kerberos

Can someone from Cloudera please comment it?

 

Thanks

avatar
Cloudera Employee

Hi Denys,

 

With respect to your clarification, Yes Kafka brokers can communicate with SASL_SSL without Kerberos, Since SASL itself is a Kerberos enabled protocol

avatar
Contributor

@AKR 
I run into the same problem. I don't think SASL itself is restricted to use Kerberos protocol, according to wikipedia. As far as I am concerned, it seems that Cloudera recommends its users to use Kerberos and kind of forbids us using other mechanisms. I wonder the reason why we cannot or should not use other SASL mechanisms.

avatar
Contributor

@Denys Are you able to enable SASL/SCRAM for Kafka in CDH at last ? Thanks.

avatar
New Contributor

@iamabug  @Denys  Are you able to enable SASL/SCRAM for Kafka in CDH at last ? Thanks.

avatar
Contributor

I think CDH only support Kerberos for SASL. I switch to Ambari to manager kafka and use SASL/PLAIN at last.