Although authors suggest using existing Cloud security products such as Sentry (Cloudera) or Argus (Hortonworks) once Zookeeper adopted SASL integration ..kafka folk agreed SASL would be the best way to implement securing the following Kafka features :
Authentication via SSL & Kerberos through SASLAuditingAuthorization through Unix-like users, permissions and ACLsEncryption over the wire (optional)It should be easy to enforce the use of security at a given site https://cwiki.apache.org/confluence/display/KAFKA/Security Unfortunately kafka-sasl authors suggested implementing SSO via PKCS7 is currently out-of-scope for pre 1.0 release Imagine working at a Global Bank where you need to sign on to 2+ different security realms to complete a transaction this may be too arduous for people in the real world who have been using one single-sign-on for years Unfortunately KAFKA-SASL-INTEGRATION project is still at 0.9 so current implementation is very beta (not at 1.0)https://cwiki.apache.org/confluence/display/KAFKA/Index CONCLUSION:If your client does not have Cloudera(Sentry) or Hortonworks(Argus) and desires the security features of SSLAuthentication/KerberosAuthentication, Auditing, Unix-Authorization, Wire-Encryption then KAFKA-SASL-Integration is the only suggested option anyone have a suggestion how to secure kafka? Martin ______________________________________________ > Date: Fri, 4 Mar 2016 12:10:19 +0530 > Subject: Fwd: Kafka Security > From: sudeepshekh...@gmail.com > To: users@kafka.apache.org > > Hi, > > I am exploring on the Security capabilities of Kafka 0.9.1 but unable to > use it successfully. > > I have set below configuration in my server.properties > > *allow.everyone.if.no.acl.found=false* > *super.users=User:root;User:kafka* > > I created an ACL using below command > > *./kafka-acls.sh --authorizer-properties zookeeper.connect=<zk_host:port> > --add --allow-principal User:imit --allow-host <allowed_host> --topic imit > --producer --consumer --group imit-consumer-group* > > and I see below response for it > > *Current ACLs for resource `Topic:imit`:* > * User:imit has Allow permission for operations: Describe from > hosts: <allowed_host>* > * User:imit has Allow permission for operations: Read from hosts: > <allowed_host>* > * User:imit has Allow permission for operations: Write from hosts: > <allowed_host>* > > *Note:* Values mentioned in <> are replaced with some dummy values in the > question and used correctly while creating the ACL > > I have following observations: > > a) Though I define the rule for imit topic to access for a particular using > from a given host yet I can write to the topic from any host using any user > account. > > b) I am unable to read the messages from topic from any host or any user > account (even using the one for which I have defined the rules). > > I am running Kafka on RHEL 6.7 and all the users are local. > > Appreciate if someone can guide if I am missing any configuration > parameters or commands to manage authorization or if Kafka is behaving in a > weird way. > > Also where can I getting authorization related logs in Kafka? > > > Thanks & Regards, > > Sudeep
