Security Overview

The Kafka community added a number of features that, used either separately or together, increases security in a Kafka cluster. The following security measures are currently supported by Kafka Eagle:

  • SASL/GSSAPI (Kerberos)
  • SASL/PLAIN
  • SASL/SCRAM-SHA-256
  • SASL/OAUTHBEARER

How To Use SASL Security

1.Kerberos

1.1 Setting Kafka Eagle System File

Kafka Eagle system-config.properties file setting:

######################################
# kafka  sasl authenticate
######################################
cluster1.kafka.eagle.sasl.enable=true
cluster1.kafka.eagle.sasl.protocol=SASL_PLAINTEXT
cluster1.kafka.eagle.sasl.mechanism=GSSAPI

1.2 Setting Kafka Eagle Kerberos Client

If your Kafka cluster uses Kerberos security authentication, the client needs to configure the kafka_client_jaas.conf file:

KafkaClient {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab="/etc/security/keytabs/kafka_client.keytab"
  principal="kafka-eagle.org@EXAMPLE.COM";
};

or (Make sure there is a local ticket cache klist -l to view)

KafkaClient {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  renewTicket=true
  serviceName="kafka-eagle.org";
};

2.PLAIN

2.1 Setting Kafka Eagle System File

Kafka Eagle system-config.properties file setting:

######################################
# kafka  sasl authenticate
######################################
cluster1.kafka.eagle.sasl.enable=true
cluster1.kafka.eagle.sasl.protocol=SASL_PLAINTEXT
cluster1.kafka.eagle.sasl.mechanism=PLAIN

2.2 Setting Kafka Eagle PLAIN Client

If your Kafka cluster uses PLAIN security authentication, the client needs to configure the kafka_client_jaas.conf file:

KafkaClient {
  org.apache.kafka.common.security.plain.PlainLoginModule required
  username="kafka"
  password="kafka-eagle";
};

3.SCRAM-SHA-256

3.1 Setting Kafka Eagle System File

Kafka Eagle system-config.properties file setting:

######################################
# kafka  sasl authenticate
######################################
cluster1.kafka.eagle.sasl.enable=true
cluster1.kafka.eagle.sasl.protocol=SASL_PLAINTEXT
cluster1.kafka.eagle.sasl.mechanism=SCRAM-SHA-256

3.2 Setting Kafka Eagle SCRAM-SHA-256 Client

If your Kafka cluster uses SCRAM-SHA-256 security authentication, the client needs to configure the kafka_client_jaas.conf file:

KafkaClient {
  org.apache.kafka.common.security.scram.ScramLoginModule required
  username="kafka"
  password="kafka-eagle";
};

4.OAUTHBEARER

4.1 Setting Kafka Eagle System File

If you use this authentication, you need to make sure that your Kafka cluster version is after 2.x, Kafka Eagle system-config.properties file setting:

######################################
# kafka  sasl authenticate
######################################
cluster1.kafka.eagle.sasl.enable=true
cluster1.kafka.eagle.sasl.protocol=SASL_PLAINTEXT
cluster1.kafka.eagle.sasl.mechanism=OAUTHBEARER

4.2 Setting Kafka Eagle OAUTHBEARER Client

If your Kafka cluster uses OAUTHBEARER security authentication, the client needs to configure the kafka_client_jaas.conf file:

KafkaClient {
  org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
  unsecuredLoginStringClaim_sub="kafka-eagle";
};
Copyright © smartloli 2019 all right reserved,powered by GitbookModify: 2019-06-09 13:52:31