THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Status
Current state: "Under Discussion"
Discussion thread: here
JIRA: here
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
The goal is to add kerberos capability to Kafka brokers , to start a Kafka broker with valid
kerberos ticket and accept sasl connections from client with a valid kerberos ticket.
Public Interfaces
- SaslSocketChannel in similar to the work done for SSL here https://issues.apache.org/jira/browse/KAFKA-1684 .
SaslSocketChannel will initiate a sasl authentication exchange for KafkaBroker and KafkaClient (consumer , producer). - User: This class will be used to get the remoteUserId and add it to the Session Object (https://issues.apache.org/jira/browse/KAFKA-1683)
- KafkaPrincipalToLocalPlugin: This is a pluggable class with a default implementation which translates a kerberos principal which looks like "testuser/node1.test.com@EXAMPLE.COM" to "testuser" . Users can provide a their own customized version of PrincipalToLocalPlugin.
- AuthUtils: This class will consists of any utilities needed for SASL and other auth related methods.
- KerberosTicketManager: This class will take care of renewing KafkaBroker kerberos ticket. It will periodically check for current ticket lifeTime and renewTime to renew the ticket before it expires.
Proposed Changes
SASL is a framework for providing authentication and data security services in connection oriented protocols. We will be using GSSAPI (Generic Security Services Application Program Interface) as the SASL mechanism to authenticate client and server with kerberos.
As part of SASL implementation we will be using JAAS config to read kerberos ticket and authenticate. More info on JAAS Config
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html
Proposed JAAS Login config file will look like this
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/keytabs/kafka.keytab"
storeKey=true
useTicketCache=true
principal="kafka/_HOST@EXAMPLE.COM";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/vagrant/keytabs/storm.keytab"
storeKey=true
useTicketCache=false
serviceName="zookeeper"
principal="kafka@EXAMPLE.COM";
}
KafkaServer will be used to authenticate Kafka broker against kerberos
and Client section will be used for zkClient to access kerberos enabled zookeeper cluster.
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/keytabs/kafka.keytab"
storeKey=true
useTicketCache=true
serviceName="kafka"
principal="kafkaproducer/_HOST@EXAMPLE.COM";
};
The above config is for any client ( producer, consumer) connecting to kerberos enabled Kafka cluster.
Here serviceName must match the principal name used under KafkaServer.
SASL Authentication exchange
KafkaClient
1) KafkaClient picks the principal it wants to use by looking at KafkaClient jaas config (example above).
2) Authenticates against KDC (kerberos) using the KafkaClient principal.
3) KafkaClient constructs the service principal name based on the jaas config serviceName
4) KafkaClient initiates challenge/response with KafkaBroker along with KafkaClient principal and service principal . Depending on the KafkaBroker response these challenge/response might continue until it receives COMPLETE from the KafkaBroker.
KafkaBroker
1) KafkaBroker will accept the connection and takes the client and service prinicpal
2) checks if the service principal is same as the one KafkaBroker running with.
3) KafkaBroker checks if the KafkaClient principal is authorized to use the service
4) Returns the response to the client if its authorized or not.
5) Once client is authenticated they can send Kafka requests.
Compatibility, Deprecation, and Migration Plan
As per previous security discussions and multiport work being done as part of this JIRA ,
Users/Clients can still communicate with non-secure/non-sasl kafka brokers.
Rejected Alternatives
None