Yes, I have read through the documentation and I am attempting SASL authentication with Kerberos. I don't blame anyone for assuming I hadn't :)
I have my keytab generated and I am launching with my client with a JAAS configuration accordingly. The missing piece for me was I was attempting to use GSS-API to perform that authentication ans not the javax.security.sasl packages as per the way it's performed in org.apache.kafka.common.security.authenticator.SaslClientAuthenticator. I'm ripping out my GSS-API code and replacing it with an implementation similar to Kafka's. Like I said, I only started playing around with the security stuff yesterday so I have a lot to learn. Thanks for your patience. ________________________________________ From: Flavio Junqueira [f...@apache.org] Sent: Thursday, December 10, 2015 12:38 PM To: dev@kafka.apache.org Subject: Re: Interacting with a secured Kafka cluster via GSS-API Hi Dave, I apologize for the obvious question, but have you had a look at the documentation: http://kafka.apache.org/documentation.html#security <http://kafka.apache.org/documentation.html#security> It is possible that you're not aware that it is there, so I'm just confirming. But, if you did have a look and the content didn't work for you, let us know why so that we can fix it. Thanks, -Flavio > On 10 Dec 2015, at 17:24, Dave Ariens <dari...@blackberry.com> wrote: > > Absolutely, currently I'm hoping to get authentication working and then > ultimately work towards encryption. We're also testing performance of more > out-of-the-box Kafka components but I fear our message volume will require us > to maintain our custom producers and consumers. > > > ________________________________________ > From: Andrew Schofield [andrew_schofi...@uk.ibm.com] > Sent: Thursday, December 10, 2015 10:52 AM > To: dev@kafka.apache.org > Subject: RE: Interacting with a secured Kafka cluster via GSS-API > > Wouldn't you use TLS to secure the connections? Encrypting just the > credentials but not the connection seems brave. > > Andrew > > > > From: Dave Ariens <dari...@blackberry.com> > To: "dev@kafka.apache.org" <dev@kafka.apache.org> > Date: 10/12/2015 15:43 > Subject: RE: Interacting with a secured Kafka cluster via GSS-API > > > >> Is there a reason why you are using GSS-API directly instead of via > SASL? > > There sure is--because I have no clue what I'm doing :) > > Our Kafka 0.9.0 cluster is currently only configured for SASL_PLAINTEXT so > we're not encrypting anything at the moment. I'll take a look through > SaslClientAuthenticator and try and come back with either confirmation > that everything is working as expected (hopefully) or at least more > intelligent questions... > > Thanks! > > ________________________________________ > From: isma...@gmail.com [isma...@gmail.com] on behalf of Ismael Juma > [ism...@juma.me.uk] > Sent: Thursday, December 10, 2015 10:36 AM > To: dev@kafka.apache.org > Subject: Re: Interacting with a secured Kafka cluster via GSS-API > > Hi Dave, > > Is there a reason why you are using GSS-API directly instead of via SASL? > It should still work, but if you do the latter, you can potentially reuse > the existing code (or at least use it as inspiration), see > `org.apache.kafka.common.security.authenticator.SaslClientAuthenticator`. > > Also, please keep in mind that we are only using SASL for authentication > and that to encrypt the communication, you have to use SASL_SSL (ie we > don't support the SASL confidentiality QOP, for example). > > I hope this helps. > > Ismael > > > > Unless stated otherwise above: > IBM United Kingdom Limited - Registered in England and Wales with number > 741598. > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
