#Kafka #Zookeeper #Kerberos

Mohammed Amine GARMES (contractor) Thu, 27 Oct 2016 10:15:56 -0700

Hello Kafka,

I am Mohammed Amine GARMES from AMADEUS SAS.
First of all I want to thank you for your solution is very helpful.
Indeed, this is my first message to Kafka team,  so I have an issue with Kafka 
security :


I have 2 kafka servers configured to start with kafka security, I try to start 
the akfka servers with the JASS below ==>


server 1

 KafkaServer {

        com.sun.security.auth.module.Krb5LoginModule required

        useKeyTab=true

        storeKey=true

        keyTab="/opt/kafka/config/kafka.keytab"

        principal="kafka/kafka1.test....@test.net";

    };



    // ZooKeeper client authentication

    Client {

        com.sun.security.auth.module.Krb5LoginModule required

        useKeyTab=true

        storeKey=true

        keyTab="/opt/kafka/config/kafka.keytab"

        principal="kafka/kafka1.test....@test.net";

    };

server 2 :

KafkaServer {

    com.sun.security.auth.module.Krb5LoginModule required

    useKeyTab=true

    storeKey=true

    keyTab="/opt/kafka/config/kafka.keytab"

    principal="kafka/kafka2.test....@test.net";

};



// ZooKeeper client authentication

Client {

    com.sun.security.auth.module.Krb5LoginModule required

    useKeyTab=true

    storeKey=true

    keyTab="/opt/kafka/config/kafka.keytab"

    principal="kafka/kafka2.test....@test.net";

};

the problem:

when I start the kafka server 1 all is fine, but when I try to start the second 
server I have an issue because it haven't the access to the zookeeper node 
(/brokers) for kafka. the all zookeeper path /brokers is blocked by the first 
server, so the second server haven't the right access to write in this path .

The ACL of /brokers is the fqdn of the first server, normally  should be open 
for all and close ACL of the path /broker/ids/1, in this case the second server 
can write in /brokers and close the /brokers/ids/2 for him.

I founded a solution but I am not sure that the right solution, I create a new 
kakfa-kerberos user, so for all server I use the same user :

Server1
KafkaServer {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/opt/kafka/config/kafka.keytab"
    principal="kafka/kafka1.test....@test.net";
};

// ZooKeeper client authentication
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/opt/kafka/config/kafkaZk.keytab"
    principal="kafka/kafkazk.test....@test.net";
};
________________________________
Server2
KafkaServer {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/opt/kafka/config/kafka.keytab"
    principal="kafka/kafka2.test....@test.net";
};

// ZooKeeper client authentication
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/opt/kafka/config/kafkaZk.keytab"
    principal="kafka/kafkazk.test....@test.net";
};


Can help me or clarify to me how I can use Kafka security correctly ?!!



Best Regards
Mohammed Amine GAMRES
Software Developer
AKKA, Contracting company
R&D-AQG-DUI-DMG-LBX
T: + 33 (0)7 82 97 81 76
mohammed-amine.gar...@amadeus.com<mailto:pierrick.mori...@amadeus.com>

#Kafka #Zookeeper #Kerberos

Reply via email to