Table of Contents |
---|
Status
Current state: "Under DiscussionAccepted"
Discussion thread: here
JIRA: here
...
- Channel wrapper for TransportLayer and AuthenticationLayer providing necessary handshake and authentication methods and also read(ByteBuffer buf) , write(ByteBuffer buf), write(ByteBuffer[] buf).
- TransportLayer is an interface for network transportLayer.
- PlainTextTransportLayer provides plain text socket channel methods
- SSLTransportLayer providers provides ssl handshake and read/write methods.
- Authenticator is an interface to providing providing client/server authentication.
- SaslServerAuthenticationLayer implements AuthenticationLayer, provides provides authentication methods for server side.
- SaslClientAuthenticationLayer implements AuthenticationLayer, provides client side authentication.
- User: This class will be used to get the remoteUserId and add it to the Session Object (https://issues.apache.org/jira/browse/KAFKA-1683)
- KafkaPrincipalToLocalPlugin: This is a pluggable class with a default implementation which translates a kerberos principal which looks like "testuser/node1.test.com@EXAMPLE.COM" to "testuser". Users can provide a their own customized version of PrincipalToLocalPlugin.
- AuthUtils: This class will consists of any utilities needed for SASL and other auth related methods.
- KerberosLoginFactory: It will use jaas config to login and generates a subject.
- of PrincipalToLocalPlugin.
- AuthUtils: This class will consists of any utilities needed for SASL and other auth related methods.
- KerberosLoginFactory: It will use jaas config to login and generates a subject.
- Protocol accepts the protocol type (PLAINTEXT, SSL , PLAINTEXT+SASL, SSL+SASL)
- PLAINTEXT (non-authenticated, non-encrypted)
- This channel will provide exact behavior for communication channels as previous releases
- This channel will provide exact behavior for communication channels as previous releases
- SSL
- SSL implementation. Authenticated principal in the session will be from the certificate presented or the peer host.
- SASL+PLAINTEXT
- SASL authentication will be used over plaintext channel. Once the sasl authentication established between client and server . Session will have client’s principal as authenticated user. There won’t be any wire encryption in this case as all the channel communication will be over plain text .
- SASL+SSL
SSL will be established initially and SASL authentication will be done over SSL. Once SASL authentication is established users principal will be used as authenticated user . This option is useful if users want to use SASL authentication ( for example kerberos ) with wire encryption.
- PLAINTEXT (non-authenticated, non-encrypted)
- SecurityConfig , a config file for provider SecurityProtocol, SSL config and SASL mechanisms.
- BlockingChannel interface changes as it accepts the Protocol to create appropriate channels.
Proposed Changes
we will be using SASL to provide authentication and SSL to provider encryption in connection oriented protocols.
...
SecurityConfig will be shared across clients and brokers. If not provided communication channels fall back to PLAINTEXT . Here are proposed configs
Code Block | ||
---|---|---|
| ||
authenticationsasl.enable authentication.mechanism (KERBEROS will be supported for revision1) ssl.protocol ssl.cipher.suites ssl.enabled.protocols ssl.keystore.type ssl.keystore.location ssl.keystore.password ssl.key.password ssl.truststore.type ssl.truststore.location ssl.truststore.password ssl.client.require.cert ssl.keymanager.algorithm ssl.trustmanager.algorithm |
...