CODEWITHSUNDEEP
apache-sparkapache-kafkakerberos
Simon Su
Simon Su

Reputation: 2343

Kafka kerberos configuration issues

In kafka document, it says that the principal is kafka/[email protected], so the sasl.kerberos.service.name should be kafka but I'm very confused the kafka broker configuration says that :sasl.kerberos.service.name represent

"The Kerberos principal name that Kafka runs as. This can be defined either in Kafka's JAAS config or in Kafka's config."

why we need to set this configuration:sasl.kerberos.service.name, how does it work ? why Kerberos principal name that kafka runs as is the "kafka" not "kafka/[email protected]"

Upvotes: 3

Views: 12111

Answers (5)

jido
jido

Reputation: 1

Using wurstmeister/kafka-docker, it looks like server.properties cannot be edited directly. Instead I defined the following environment property in docker-compose.yml:

KAFKA_SASL_KERBEROS_SERVICE_NAME: kafka

Upvotes: 0

Satyajit Das
Satyajit Das

Reputation: 76

why Kerberos principal name that kafka runs as is the "kafka" not "kafka/[email protected]"?

"kafka/[email protected]" actually refers to Service Principal Name (SPN). SPN is a unique identifier of a service instance in KDC. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

So the service name is here "Kafka" and Service Principal Name is "kafka/[email protected]". Kafka is the service account against which Kafka is running.

why we need to set this configuration:sasl.kerberos.service.name, how does it work?

As I answered above, as you have set up your Kafka brokers authentication with Kerberos, So a client application can request that the service authenticate an account even if the client does not have the account name.

But Clients (producers, consumers, connect workers, etc) will authenticate to the cluster with their own principal (usually with the same name as the user running the client), so obtain or create these principals as needed. Then create a JAAS file for each principal. The KafkaClient section describes how the clients like producer and consumer can connect to the Kafka Broker.

You need to have jass file where you are running your client with below info.

If you use kinit command first, use this configuration.

KafkaClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/etc/security/keytabs/kafka_client.keytab"
    principal="[email protected]";
};

If you use keytab, use this configuration:

KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytabs/kafka_server.keytab"
principal="kafka/[email protected]";
};

So once client(producer, consumer, any java code) authenticate against broker with its own principal, then it will authenticate requesting the service "kafka" mentioned in property sasl.kerberos.service.name.

Here's more information about SASL configurations.

Upvotes: 3

Ajay
Ajay

Reputation: 272

Use 

KafkaServer {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    useTicketCache=false
    keyTab="kafka.keytab"
    principal="kafka/[email protected]";
};
// Zookeeper client authentication
Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   useTicketCache=false
   keyTab="kafka.keytab"
   principal="kafka/[email protected]";

};

This jaas for kafka server and for kafka to connect to a kerberized zookeeper and you can set these 3 properties in kafka's server.properties

security.protocol: SASL_PLAINTEXT
sasl.mechanism: GSSAPI
sasl.kerberos.service.name: kafka

Upvotes: 0

gopa
gopa

Reputation: 1

kafka is nothing but the principal name that kafka service runs. You should add a "kafka" principal in KDC server also.

If you are using Cloudera it will automatically add this entry in KDC server. You can check this configuration in /var/run/cloudera-scm-agent/processs/<>

The same principal will be in jaas configuration file also. principal="kafka/hostname@Relam Name";

Upvotes: 0

olivierg
olivierg

Reputation: 792

i don't know what kafka is, but the kerberos principal is "kafka/hostname", not "kafka" alone.

in your kerberos database, you can have many different principals, called

kafka kafka/hostname kafka/admin kafka/whatyouwant

each of these is called a principal (including the /something)

Upvotes: 0

Related Questions