In this short article, we will show how we can connect to an Apache Kafka that is currently secured using Kerberos authentication. The steps explained in this article are generic to any Apache Kafka client and battle-tested using Kafkaide.
Kerberos is a computer network authentication protocol that works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is typically used in large organizations where users need to access kerberized applications hosted on servers spread across different geographical locations.
The most notable feature of Kerberos is that it eliminates the need for users to remember and enter multiple passwords when authenticating to kerberized services. Users only need to remember their Kerberos password, which is used to obtain tickets from the Kerberos server. These tickets can then be used to authenticate with kerberized services without the need to enter a password. Kerberos authentication is often used in conjunction with Apache Kafka, as it provides an additional layer of security for data in transit.
When working with Apache Kafka, there are a few important configuration parameters that you need to set. These are:
security.protocol
- set value to SASL_SSL
or SASL_PLAINTEXT
, depending on whether you also use SSL/TLS or not.ssl.truststore.location
- if your security protocol is SASL_SSL, you will need to pass the path to the truststore file. Also set ssl.truststore.password
if your truststore was created using a password.sasl.mechanism
- always set to GSSAPI
which is the name for the Kerberos protocol.sasl.kerberos.service.name
- set value to the Kerberos service name, this will be custom to your setup but if you don’t know yours you should ask your Kerberos administrator.sasl.jaas.config
or java.security.auth.login.config
- read next section.As we said, we will have to provide the Kerberos ticket along with the rest of the consumer configuration. There are different ways in which you can achieve this.
The first is by using your local Kerberos ticket cache.
You can inspect which tickets are available by running klist
from your command line.
sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
Sometimes you have the keytab file containing your ticket. If that’s your case, you can pass the keytab location instead of using the system cache.
sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/path/to/alice.keytab" principal="alice@example.com";
An alternative to setting up sasl.jaas.config
is having that same configuration stored in a file and passing that file location as java.security.auth.login.config
property.
As an example, you can create a file at /path/to/kerberos.sasl.config
with any of the following content, equivalent to the examples of the last two sections.
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
or
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/to/alice.keytab"
principal="alice@example.com";
};
Finally, when configuring your Kafka client, set the following config:
java.security.auth.login.config=/path/to/kerberos-sasl.jass.config
In this article, we’ve seen what are the required configuration when connecting to an Apache Kafka cluster secured using Kerberos authentication.
This configuration is standard for any type of Kafka client, whether you use the Apache Kafka Consumer API, Producer API or an Apache Kafka editor such as Kafkaide.