Securing Kafka and Zookeeper with Kerberos

Question

I'm trying to setup a kerberos identification between zookeeper and kafka.

I have followed the configuration steps available here : https://docs.confluent.io/4.1.1/kafka/authentication_sasl_gssapi.html#sasl-gssapi-broker.

The kafka brokers successfully connect to the zookeeper ensemble and the brokers are setting ACLs on znodes.

In Zookeeper, I can see the znodes /brokers/ids, but the ACLs are set like this :

'world,'anyone
: r
'sasl,'kafka/kafka-broker-01.c.aesthetic-way-193809.internal@MYREALM.COM
: cdrwa

The first broker creates the znode, put its ACL and make it unmodiafiable for all nodes that want to add their ids.

The docs says that we should use the same principal for all the brokers but the example of the documentation does not match this recommendation :

 // ZooKeeper client authentication
 Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   keyTab="/etc/security/keytabs/kafka_server.keytab"
   principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
};

Shoud I create a principal like kafka_zk_cli@MYREALM.COM and use it the Client section of my JAAS file on each broker ? If yes can I share the keytab for this user on each broker ?

Thanks for the help.

dawsaw · Accepted Answer

You can drop the host from the principal and use the same one for all brokers, you can set acls manually (not ideal), or you can add these to your zookeeper configuration as well

kerberos.removeHostFromPrincipal = true
kerberos.removeRealmFromPrincipal = true

Any of those three options should help here.

Securing Kafka and Zookeeper with Kerberos

Answers (2)

Related Questions