Versions Compared

Old Version 2

changes.mady.by.user Harsha

Saved on

compared with

New Version 3

changes.mady.by.user Harsha

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Status

Current state: "Under Discussion"

...

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

The goal is to add kerberos capability to Kafka brokers , to start a Kafka broker with valid
kerberos ticket and accept sasl connections from client with a valid kerberos ticket.

Public Interfaces

  • SaslSocketChannel in similar to the work done for SSL here https://issues.apache.org/jira/browse/KAFKA-1684 .
    SaslSocketChannel will initiate a sasl authentication exchange for KafkaBroker and KafkaClient (consumer , producer).
  • User: This class will be used to get the remoteUserId and add it to the Session Object (https://issues.apache.org/jira/browse/KAFKA-1683)
  • KafkaPrincipalToLocalPlugin: This is a pluggable class with a default implementation which translates a kerberos principal which looks like "testuser/node1.test.com@EXAMPLE.COM" to "testuser" . Users can provide a their own customized version of PrincipalToLocalPlugin.
  • AuthUtils: This class will consists of any utilities needed for SASL and other auth related methods.
  • KerberosTicketManager: This class will take care of renewing KafkaBroker kerberos ticket. It will periodically check for current ticket lifeTime and renewTime to renew the ticket before it expires.

Proposed Changes

SASL is a framework for providing authentication and data security services in connection oriented protocols. We will be using GSSAPI (Generic Security Services Application Program Interface) as the SASL mechanism to authenticate client and server with kerberos.

...


KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/keytabs/kafka.keytab"
storeKey=true
useTicketCache=true
serviceName="kafka"
principal="kafkaproducer/_HOST@EXAMPLE.COM";
};

The above config is for any client ( producer, consumer) connecting to kerberos enabled Kafka cluster.
Here serviceName must match the principal name used under KafkaServer.


SASL Authentication exchange

KafkaClient

1) KafkaClient picks the principal it wants to use by looking at KafkaClient jaas config (example above).

...

4) KafkaClient initiates challenge/response with KafkaBroker along with KafkaClient principal and service principal . Depending on the KafkaBroker response these challenge/response might continue until it receives COMPLETE from the KafkaBroker.

KafkaBroker

1) KafkaBroker will accept the connection and takes the client and service prinicpal

...

5) Once client is authenticated they can send Kafka requests.

Compatibility, Deprecation, and Migration Plan

As per previous security discussions and multiport work being done as part of this JIRA

Jira
serverIssues
keyKAFKA-1809
,

Users/Clients can still communicate with non-secure/non-sasl kafka brokers.

Rejected Alternatives

None