Reputation: 1671
Bypass kafka authorization for port 9092 (plaintext)
I want to add authentication and authorization for my confluent kafka running with docker. This should only happen on port 9093, 9092 should work as before because the port is blocked for external clients by ip table rules. Therefore I used following config:
=> 9093 SASL_SSL
=> 9092 PLAINTEXT
Here is a part of my config:
Kafka container environment variables
- KAFKA_ADVERTISED_LISTENERS=PLAINTEXT://my.host.ip:9092,SASL_SSL://my.host.ip:9093
- KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND=false
- KAFKA_SSL_CLIENT_AUTH=required
- KAFKA_SECURITY_INTER_BROKER_PROTOCOL=SASL_SSL
- KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
- KAFKA_SASL_ENABLED_MECHANISMS=PLAIN
- KAFKA_AUTHORIZER_CLASS_NAME=kafka.security.authorizer.AclAuthorizer
- KAFKA_SUPER_USERS="User:admin"
- KAFKA_OPTS=-Djava.security.auth.login.config=/etc/kafka/secrets
Zookeeper container environment variables
- ZOOKEEPER_SERVERS=0.0.0.0:2888:3888;my.host.ip:2888:3888
- ZOOKEEPER_SERVER_ID=1
- ZOOKEEPER_CLIENT_PORT=2181
- ZOOKEEPER_STANDALONE_ENABLED=false
- ZOOKEEPER_DATA_DIR=/kafka/data
- ZOOKEEPER_AUTH_PROVIDER_SASL=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
- KAFKA_OPTS=-Djava.security.auth.login.config=/etc/kafka/secrets/zookeeper_jaas.conf
As I only want to configure the authentication mechanism for the SASL_SSL listener I use following jaas config as described here: https://docs.confluent.io/platform/current/kafka/authentication_sasl/index.html#recommended-broker-jaas-configuration.
kafka_jaas.config
KafkaServer {
listener.name.sasl_ssl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin"
user_admin="admin"
};
Client {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin";
};
zookeeper_jaas.config
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_admin="admin";
};
When I run kafka i get the following error:
[main-SendThread(s415vm2140.detss.corpintra.net:2181)] WARN org.apache.zookeeper.ClientCnxn - SASL configuration failed: javax.security.auth.login.LoginException: Zookeeper client cannot authenticate using the 'Client' section of the supplied JAAS configuration: '/etc/kafka/secrets/kafka_jaas.conf' because of a RuntimeException: java.lang.SecurityException: java.io.IOException: Configuration Error:
Line 2: expected [controlFlag] Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it.
How can I achieve that a client does not need to authentication when connecting to port 9092?
Upvotes: 3
Views: 1895
Answers (1)
Reputation: 1831
Read more here: https://docs.confluent.io/platform/current/security/zk-security.html
You set Zookeeper to working with digest, you set client with Plain, On kafka_jaas
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin"
user_admin="admin";
};
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="admin"
password="admin";
};
And in zookeeper_jaas
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="admin"
password="admin"
user_admin="admin";
};
P.s.
1.listener.name.sasl_ssl.plain.sasl.jaas.config= in your KafkaServer is not correct
- You are missing " ; "
Here you also have an example of configuration with Plain
Kafka SASL zookeeper authentication
Upvotes: 0
Related Questions
- Connect to Kafka running in Docker
- No security protocol defined for listener PLAINTEXT://:TCP
- Use kafka connect without docker
- Kafka docker configuration failing with error : No security protocol defined for listener PLAINTEXT
- Kafka authorization failed only on port 9092
- Kafka connect in docker
- Kafka listener in test container, avoiding port 9092
- Remotely accessing Kafka running inside kubernetes
- connect to a kafka container from localhost
- Kafka on Docker cannot connect from other container