Hi Martin, I suggest reading http://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption for an end to end example of how to secure Kafka.
Ismael On Fri, Mar 4, 2016 at 12:38 PM, Martin Gainty <mgai...@hotmail.com> wrote: > Although authors suggest using existing Cloud security products such as > Sentry (Cloudera) or Argus (Hortonworks) once Zookeeper adopted SASL > integration ..kafka folk agreed SASL would be the best way to implement > securing the following Kafka features : > > Authentication via SSL & Kerberos through SASLAuditingAuthorization > through Unix-like users, permissions and ACLsEncryption over the wire > (optional)It should be easy to enforce the use of security at a given site > https://cwiki.apache.org/confluence/display/KAFKA/Security > Unfortunately kafka-sasl authors suggested implementing SSO via PKCS7 is > currently out-of-scope for pre 1.0 release > Imagine working at a Global Bank where you need to sign on to 2+ different > security realms to complete a transaction > this may be too arduous for people in the real world who have been using > one single-sign-on for years > Unfortunately KAFKA-SASL-INTEGRATION project is still at 0.9 so current > implementation is very beta (not at 1.0) > https://cwiki.apache.org/confluence/display/KAFKA/Index > CONCLUSION:If your client does not have Cloudera(Sentry) or > Hortonworks(Argus) and desires the security features of > SSLAuthentication/KerberosAuthentication, Auditing, Unix-Authorization, > Wire-Encryption then KAFKA-SASL-Integration is the only suggested option > anyone have a suggestion how to secure kafka? > > Martin > ______________________________________________ > > > > > Date: Fri, 4 Mar 2016 12:10:19 +0530 > > Subject: Fwd: Kafka Security > > From: sudeepshekh...@gmail.com > > To: users@kafka.apache.org > > > > Hi, > > > > I am exploring on the Security capabilities of Kafka 0.9.1 but unable to > > use it successfully. > > > > I have set below configuration in my server.properties > > > > *allow.everyone.if.no.acl.found=false* > > *super.users=User:root;User:kafka* > > > > I created an ACL using below command > > > > *./kafka-acls.sh --authorizer-properties zookeeper.connect=<zk_host:port> > > --add --allow-principal User:imit --allow-host <allowed_host> --topic > imit > > --producer --consumer --group imit-consumer-group* > > > > and I see below response for it > > > > *Current ACLs for resource `Topic:imit`:* > > * User:imit has Allow permission for operations: Describe from > > hosts: <allowed_host>* > > * User:imit has Allow permission for operations: Read from hosts: > > <allowed_host>* > > * User:imit has Allow permission for operations: Write from hosts: > > <allowed_host>* > > > > *Note:* Values mentioned in <> are replaced with some dummy values in the > > question and used correctly while creating the ACL > > > > I have following observations: > > > > a) Though I define the rule for imit topic to access for a particular > using > > from a given host yet I can write to the topic from any host using any > user > > account. > > > > b) I am unable to read the messages from topic from any host or any user > > account (even using the one for which I have defined the rules). > > > > I am running Kafka on RHEL 6.7 and all the users are local. > > > > Appreciate if someone can guide if I am missing any configuration > > parameters or commands to manage authorization or if Kafka is behaving > in a > > weird way. > > > > Also where can I getting authorization related logs in Kafka? > > > > > > Thanks & Regards, > > > > Sudeep > >
