Support Questions

Denys · ‎08-31-2018

Hi guys,

I have a Kafka cluster and want to enable SASL_SSL without Kerberos.

Is it possible?

What I changed in kafka.properties:

listeners=PLAINTEXT://kafkatest03.loc:9092, SSL://kafkatest03.loc:9093, SASL_SSL://kafkatest03.loc:9094, SASL_PLAINTEXT://kafkatest03.loc:9095
advertised.listeners=PLAINTEXT://kafkatest03.loc:9092, SSL://kafkatest03.loc:9093, SASL_SSL://kafkatest03.loc:9094, SASL_PLAINTEXT://kafkatest03.loc:9095
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
sasl.enabled.mechanisms=SCRAM-SHA-256
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

ssl.keystore.location=...
ssl.keystore.password.generator=...
ssl.key.password.generator=...
ssl.truststore.location=...
ssl.truststore.password.generator=...

Added to broker_java_opts:

-Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf

KafkaServer {
    org.apache.kafka.common.security.scram.ScramLoginModule required
    username="admin"
    password="admin";
};

When I set security.inter.broker.protocol to PLAINTEXT everything is working and client can auth wirh SASL_SSL using SCRAM-SHA-256, but ACL is not working.

According to this:

https://github.com/wurstmeister/kafka-docker/issues/218

we need to enable

security.inter.broker.protocol=SASL_SSL, but it throws an error:

security.inter.broker.protocol can not be set to SASL_SSL, as Kerberos is not enabled

Thanks

Denys · ‎09-01-2018

Just found the reason here: https://github.com/cloudera/cm_csds/blob/master/KAFKA/src/scripts/control.sh

if [[ ${SECURITY_INTER_BROKER_PROTOCOL} == *"SASL"* && ${KERBEROS_AUTH_ENABLED} != "true" ]]; then
        echo "security.inter.broker.protocol can not be set to ${SECURITY_INTER_BROKER_PROTOCOL}, as Kerberos is not enabled on this Kafka broker."
        exit 1
fi

As I correctly understand Kafka brokers can communicate with SASL_SSL without Kerberos

Can someone from Cloudera please comment it?

Thanks

AKR · ‎02-28-2019

Hi Denys,

With respect to your clarification, Yes Kafka brokers can communicate with SASL_SSL without Kerberos, Since SASL itself is a Kerberos enabled protocol

iamabug · ‎09-03-2019

@AKR
I run into the same problem. I don't think SASL itself is restricted to use Kerberos protocol, according to wikipedia. As far as I am concerned, it seems that Cloudera recommends its users to use Kerberos and kind of forbids us using other mechanisms. I wonder the reason why we cannot or should not use other SASL mechanisms.

iamabug · ‎09-04-2019

@Denys Are you able to enable SASL/SCRAM for Kafka in CDH at last ? Thanks.

tony_set · ‎10-11-2019

@iamabug @Denys Are you able to enable SASL/SCRAM for Kafka in CDH at last ? Thanks.

iamabug · ‎11-05-2019

I think CDH only support Kerberos for SASL. I switch to Ambari to manager kafka and use SASL/PLAIN at last.

Cloudera Community

Support Questions

Kafka: security.inter.broker.protocol can not be set to SASL_SSL, as Kerberos is not enabled