Tuesday, April 14, 2020

Client Setup for Authentication using SASL - Kerberos


Prerequisite:
1. A kafka cluster setup with Kerberos
2. A keytab file from the administrator

Note: This document shows a client implementation using the information provided in https://docs.confluent.io/2.0.0/kafka/sasl.html#configuring-kafka-clients


Steps
1. Copy the keytab file to resources folder. (In case of production deployment, the file must be managed outside of the project repository)

2. Add the following properties to application.yml
spring:
    kafka:
      bootstrap-servers: # make sure secured port is used      properties:
        schema.registry.url: # make sure secured port is used for e.g. https://abc.def.net:8081        security.protocol: SASL_SSL
        sasl:
          mechanism: GSSAPI
          kerberos:
            service:
              name: kafka

3. Create a jaas.conf file as follows
KafkaClient {
    com.sun.security.auth.login.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="./src/main/resources/filename.keytab"    principal="prinicipal_name"    # example of principal - "xyz/a.b.net@abc.def.net"}

4. Add configuration file krb5.conf to the resources folder
Files in step 3,4 can be added to the system path of the application as follows
-Djava.security.auth.login.config=./src/main/resources/jaas.conf
-Djava.security.krb5.conf=./src/main/resources/krb5.conf

Alternate approach to step 4 - (in a spring-boot application). Add a configuration as follows
@Configurationpublic class SecurityConfig {
    @Value("${app.kafka.security.authLoginConfig}")
    private String authLoginConfig;
    @Value("${app.kafka.security.krb5Realm}")
    private String krb5Realm;
    @Value("${app.kafka.security.krb5Kdc}")
    private String krb5Kdc;
    @PostConstruct    public void configureKafkaSecurity() {
        if (!StringUtils.isEmpty(authLoginConfig)) {
            System.setProperty("java.security.auth.login.config", authLoginConfig);        }
        if (!StringUtils.isEmpty(krb5Realm)) {
            System.setProperty("java.security.krb5.realm", krb5Realm);        }
        if (!StringUtils.isEmpty(krb5Kdc)) {
            System.setProperty("java.security.krb5.kdc", krb5Kdc);        }
    }
}

with following properties in applcation.yml
app:
  kafka:
    security:
      krb5Realm: abc.def.NET
      krb5Kdc: abc.def.net
      authLoginConfig: ./src/main/resources/jaas.conf


at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Client Setup for Authentication using SASL - Kerberos

Prerequisite: 1. A kafka cluster setup with Kerberos 2. A keytab file from the administrator Note: This document shows a client implem...