Kafka Eagle
Search…
5.Security
The Kafka community added a number of features that, used either separately or together, increases security in a Kafka cluster. The following security measures are currently supported by Kafka Eagle:
    SASL/GSSAPI (Kerberos)
    SASL/PLAIN
    SASL/SCRAM-SHA-256
    SASL/OAUTHBEARER
    SSL
    CGROUPS(SASL & SSL)

How To Use SASL And SSL Security On Multi-Cluster

1.Kerberos

1.1 Setting Kafka Eagle System File

Kafka Eagle system-config.properties file setting:
1
######################################
2
# kafka sasl authenticate
3
######################################
4
cluster1.kafka.eagle.sasl.enable=true
5
cluster1.kafka.eagle.sasl.protocol=SASL_PLAINTEXT
6
cluster1.kafka.eagle.sasl.mechanism=GSSAPI
7
cluster1.kafka.eagle.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_client.keytab" principal="[email protected]";
8
# make sure there is a local ticket cache ```klist -l``` to view
9
# cluster1.kafka.eagle.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true renewTicket=true serviceName="kafka-eagle.org";
10
11
# if your kafka cluster doesn't require it, you don't need to set it up
12
# cluster1.kafka.eagle.sasl.client.id=
Copied!

2.PLAIN

2.1 Setting Kafka Eagle System File

Kafka Eagle system-config.properties file setting:
1
######################################
2
# kafka sasl authenticate
3
######################################
4
cluster1.kafka.eagle.sasl.enable=true
5
cluster1.kafka.eagle.sasl.protocol=SASL_PLAINTEXT
6
cluster1.kafka.eagle.sasl.mechanism=PLAIN
7
cluster1.kafka.eagle.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="kafka" password="kafka-eagle";
8
# if your kafka cluster doesn't require it, you don't need to set it up
9
# cluster1.kafka.eagle.sasl.client.id=
Copied!

3.SCRAM-SHA-256

3.1 Setting Kafka Eagle System File

Kafka Eagle system-config.properties file setting:
1
######################################
2
# kafka sasl authenticate
3
######################################
4
cluster1.kafka.eagle.sasl.enable=true
5
cluster1.kafka.eagle.sasl.protocol=SASL_PLAINTEXT
6
cluster1.kafka.eagle.sasl.mechanism=SCRAM-SHA-256
7
cluster1.kafka.eagle.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="kafka" password="kafka-eagle";
8
# if your kafka cluster doesn't require it, you don't need to set it up
9
# cluster1.kafka.eagle.sasl.client.id=
Copied!

4.OAUTHBEARER

4.1 Setting Kafka Eagle System File

If you use this authentication, you need to make sure that your Kafka cluster version is after 2.x, Kafka Eagle system-config.properties file setting:
1
######################################
2
# kafka sasl authenticate
3
######################################
4
cluster1.kafka.eagle.sasl.enable=true
5
cluster1.kafka.eagle.sasl.protocol=SASL_PLAINTEXT
6
cluster1.kafka.eagle.sasl.mechanism=OAUTHBEARER
7
cluster1.kafka.eagle.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required unsecuredLoginStringClaim_sub="kafka-eagle";
8
# if your kafka cluster doesn't require it, you don't need to set it up
9
# cluster1.kafka.eagle.sasl.client.id=
Copied!

5.SSL

5.1 Setting Kafka Eagle System File

If you use this authentication(ssl), you need to make sure that your Kafka cluster version is after 2.x, Kafka Eagle system-config.properties file setting:
1
######################################
2
# kafka ssl authenticate
3
######################################
4
cluster3.kafka.eagle.ssl.enable=true
5
cluster3.kafka.eagle.ssl.protocol=SSL
6
# kafka server.properties "ssl.truststore.location" value
7
cluster3.kafka.eagle.ssl.truststore.location=/data/kafka/ssl/certificates/kafka.truststore
8
# kafka server.properties "ssl.truststore.password" value
9
cluster3.kafka.eagle.ssl.truststore.password=ke123456
10
# kafka server.properties "ssl.keystore.location" value
11
cluster3.kafka.eagle.ssl.keystore.location=/data/kafka/ssl/certificates/kafka.keystore
12
# kafka server.properties "ssl.keystore.password" value
13
cluster3.kafka.eagle.ssl.keystore.password=ke123456
14
# kafka server.properties "ssl.key.password" value
15
cluster3.kafka.eagle.ssl.key.password=ke123456
Copied!

How To Use SASL And SSL CGroups Topics On Multi-Cluster

When using permission authentication (such as SASL Or SSL), the user you are using only supports managing a limited number of kafka topics. You can enable the following properties:
1
# SASL
2
cluster1.kafka.eagle.sasl.cgroup.enable=true
3
cluster1.kafka.eagle.sasl.cgroup.topics=topic1,topic2,topic3
4
5
# SSL
6
cluster2.kafka.eagle.ssl.cgroup.enable=true
7
cluster2.kafka.eagle.ssl.cgroup.topics=topic4,topic5,topic6
Copied!
Last modified 1yr ago