THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The goal is to add kerberos capability to Kafka brokers , to start a Kafka broker with valid
kerberos ticket and accept sasl connections from client with a valid kerberos ticket.
Public Interfaces
- Channel is a wrapper for SocketChannel providing necessary handshake methods and also read(ByteBuffer buf) , write(ByteBuffer buf), write(ByteBuffer[] buf).
- GSSChannel SaslSocketChannel in similar to the work done for SSL here https://issues.apache.org/jira/browse/KAFKA-1684 , provides the necessary read, write operations .
- GSSServerChannel extends GSSChannel to provide server side handshake methods
- GSSBlockingClientChannel extends GSSChannel to provide client side blocking handshake methods. This will be used by BlockingChannel.scala
- GSSClientChannel extends GSSChannel to provide non-blocking client side handshake methods. This will be used by new producer and consumer
SaslSocketChannel will initiate a sasl authentication exchange for KafkaBroker and KafkaClient (consumer , producer) . - User: This class will be used to get the remoteUserId and add it to the Session Object (https://issues.apache.org/jira/browse/KAFKA-1683)
- KafkaPrincipalToLocalPlugin: This is a pluggable class with a default implementation which translates a kerberos principal which looks like "testuser/node1.test.com@EXAMPLE.COM" to "testuser" . Users can provide a their own customized version of PrincipalToLocalPlugin.
- AuthUtils: This class will consists of any utilities needed for SASL and other auth related methods.KerberosTicketManager
- KerberosLoginManager: This class will take care of renewing KafkaBroker kerberos ticketis a singleton object . It will periodically check for current ticket lifeTime and renewTime to renew the ticket before it expires.
Proposed Changes
- use jaas config to login and generates a subject.
Proposed Changes
we will be using GSS-API to provide SASL is a framework for providing authentication and data security services in connection oriented protocols. We will be using GSSAPI (Generic Security Services Application Program Interface) as the SASL mechanism to authenticate client and server with kerberos.
As part of SASL Kerberos/GSS-API implementation we will be using JAAS config to read kerberos ticket and authenticate. More info on JAAS Config
...
Proposed JAAS Login config file will look like this
| Code Block | ||||
|---|---|---|---|---|
| ||||
KafkaServer { |
...
com.sun.security.auth.module.Krb5LoginModule required |
...
useKeyTab=true |
...
keyTab="/keytabs/kafka.keytab" |
...
storeKey=true |
...
useTicketCache |
...
=false serviceName="kafka" // this will be used to connect to other brokers for replica management and also controller requests. This should be set to whatever principal that kafka brokers are running. principal="kafka/_HOST@EXAMPLE.COM"; |
...
}; |
...
Client { |
...
com.sun.security.auth.module.Krb5LoginModule required |
...
useKeyTab=true |
...
keyTab="/vagrant/keytabs/storm.keytab" |
...
storeKey=true |
...
useTicketCache=false |
...
serviceName="zookeeper" |
...
principal="kafka@EXAMPLE.COM"; |
...
} |
...
KafkaServer will be used to authenticate Kafka broker against kerberos |
...
and Client section will be used for zkClient to access kerberos enabled zookeeper cluster. |
...
KafkaClient { |
...
com.sun.security.auth.module.Krb5LoginModule required |
...
useKeyTab=true |
...
keyTab="/keytabs/kafka.keytab" |
...
storeKey=true |
...
useTicketCache=true |
...
serviceName="kafka" |
...
principal="kafkaproducer/_HOST@EXAMPLE.COM"; |
...
}; |
The above config is for any client ( producer, consumer) connecting to kerberos enabled Kafka cluster.
Here serviceName must match the principal name used under KafkaServer.
GSSChannel
SASL Authentication exchange
...