Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

security kafka

avatar
Explorer

Hello Friends

 

You could help me to secure my Kafka servers for both Broker and client. As additional data I am using a KDC. As I see I currently have the security.inter.broker.protocol SASL_PLAINTEXT I don't know if it is correct or how I should secure this service.

 

Thank you

1 ACCEPTED SOLUTION

avatar
Expert Contributor

Hi @Peruvian81 

 

Kafka has multiple ways to be secured:

 

  SSL Kerberos

PLAINTEXTNoNo
SSLYesNo
SASL_PLAINTEXTNoYes
SASL_SSLYesYes

 

If you already are using Kerberos, you can check the document below:

 

https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/authentication-with-kerberos/content/kerberos_...

 

For your clients, you can use below command line depending of the Kafka version:

consumer example:

 

bin/kafka-console-consumer.sh --bootstrap-server <kafkaHost>:<kafkaPort> --topic <topicName> --security-protocol SASL_PLAINTEXT

 

For newer versions, consumer example:

 

bin/kafka-console-consumer.sh --topic <topicName> --bootstrap-server <brokerHost>:<brokerPort> --consumer-property security.protocol=SASL_PLAINTEXT

 

 

* Make sure to get a valid Kerberos ticket before running these commands (kinit -kt keytab principal)

** Ensure the Kerberos principal has permissions to publish/consume data from/to the selected topic

 

 

View solution in original post

1 REPLY 1

avatar
Expert Contributor

Hi @Peruvian81 

 

Kafka has multiple ways to be secured:

 

  SSL Kerberos

PLAINTEXTNoNo
SSLYesNo
SASL_PLAINTEXTNoYes
SASL_SSLYesYes

 

If you already are using Kerberos, you can check the document below:

 

https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/authentication-with-kerberos/content/kerberos_...

 

For your clients, you can use below command line depending of the Kafka version:

consumer example:

 

bin/kafka-console-consumer.sh --bootstrap-server <kafkaHost>:<kafkaPort> --topic <topicName> --security-protocol SASL_PLAINTEXT

 

For newer versions, consumer example:

 

bin/kafka-console-consumer.sh --topic <topicName> --bootstrap-server <brokerHost>:<brokerPort> --consumer-property security.protocol=SASL_PLAINTEXT

 

 

* Make sure to get a valid Kerberos ticket before running these commands (kinit -kt keytab principal)

** Ensure the Kerberos principal has permissions to publish/consume data from/to the selected topic