Kerberos
Kerberos Installation
Kerberos Server:
sudo yum install -y krb5-server
Need to modify 3 config files
1. sudo vi /var/kerberos/krb5kdc/kdc.conf
2. sudo vi /var/kerberos/krb5kdc/kadm5.conf
It is one liner replace it with
*/admin@KAFKA.SECURE *
All every principle with admin for realm (KAFKA_SECURE) all resource
3. sudo ect/krb5.conf
replace the admin_server and ldc urls and provide the log paths
Create Kerberos Database
sudo /usr/sbin/kdb5_util create -s -r KAFKA.SECURE -P this-is-unsecure
-s tab creates the stash file as well where has master/principle -r is realm name
Add Principle/user
sudo kadmin.local -q 'add_principal -pw this-is-unsecure admin/admin'
Here we are passing the query ( -q) with add_priciple with username admin and pwd admin)
Restart the service
sudo systemctl restart krb5kdc
sudo systemctl restart kadmin
Now create New Principle
sudo kadmin.local -q 'add_priciple -randkey reader@KAFKA.SECURE"
this will generate a random password for user reader in realm KAFKA_SECURE
create 2 more users
sudo kadmin.local -q 'add_principal -randkey writer@KAFKA.SECURE'
sudo kadmin.local -q 'add_principal -randkey admin@KAFKA.SECURE"
Create Principle for KAFKA service
sudo kadmin.local -q 'add_principal -randkey kafka/ec2.xx.xxxx@KAFKA.SECURE'
ie. user/hostname@realm (kakfa/ec2...@KAFKA.SECURE)
hostname should be the kafka server hostname
If you have multiple kafka borkers repeat the above query with different hostnames
Here kafa user can be accesses from the hostname specified only. But for the admin user above we have not specified any host as such it can be accessed from any hosts
Export principles to keytab files
sudo kadmin.local -q 'xst -kt /tmp/reader.user.kebtab reader@KAFKA.SECURE'
This will export the principle 'reader' to keytab file
Repeat the same for writer and admin
sudo kadmin.local -q "xst -kt /tmp/writer.user.kebtab writer@KAFKA.SECURE"
sudo kadmin.local -q "xst -kt /tmp/admin.user.kebtab admin@KAFKA.SECURE"
Create key tab for kafka user
sudo kadmin.local -q "xst -kt /tmp/kafka.service.keytab kafka/ec2.xx.xx.@KAFKA.SECURE"
Now copy the keys locally, and upload the kafka keytab to kafka server
IN CLIENT machine which is UBUNTU
1. Install client libraries
export DEBIAN_FRONTEND=noninteractive && sudo apt-get install krb5-user
2. sudo vi krb5.conf
edit the admin_server and the kdc parameters to point to the appropriate server
Test - Get ticket from admin user
kinit -kt /tmp/admin.user.keytab admin
(provides no output if successful)
Note: kinit -kt <keytabfile> without user will list the details of keytab
User klist to see how the ticket cache looks like
klist -kt <keytabfile> will list all the principles in the keytab
Kafka Client configuration
Modifty the server.properties accordingly providing the correct listerners, and sask service name.
Create JAAS Configuration for Kafka server
This will tell how to deal with SASL authentication. There are several implementation of SASL, here we are using Kerberos authentication
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/tmp/kafka.service.keytab"
principal="<<DNS>>@KAFKA.SECURE";
};
Set the JVM environment variable
KAFKA_OPTS=-Djava.security.auth.login.config=<<PATh>>/kafka_server_jaas.conf
vi /etc/systemd/system/kafka.service
Only change is the file is that we are setting the JVM parameters
Ports to be opened
Client
2181 - Zookeeper
9092 - Kafka plaintext
9093 - Kafka SSL port
9094 - Kafka Kerberos port
Server (kerberos)
88 ( both TCP and UDP)
Kafka Client - create the JAAS file similar to Kafka server
vi /tmp/kafka_lcient_jaas.conf
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
};
Create kerberos client properties files
vi /tmp/kafka_client_kerberos.properties
security.protocol=SASL_SSL
sasl.kerberos.service.name=kafka
ssl.truststore.location=/home/gerd/ssl/kafka.client.truststore.jks
ssl.truststore.password=clientpass
export KAFKA_OPTS="-Djava.security.auth.login.config=/tmp/kafka_client_jass.conf"
Producer
- ~/kafka/bin/kafka-console-producer.sh --broker-list ec2.xx.xx.xx:9004 --topic kafka-security-topic --producer-config /tmp/kafka_client_kerberos.properties
Consuer
- ~/kafka/bin/kafka-console-consumer.sh --bootstrap-server ec2.xx.xx.xx:9004 --topic kafka-security-topic --consumer-config /tmp/kafka_client_kerberos.properties
-------------------------------------------
Kerberos requires a hosts name.
Clients require
apt-get krb5-user krb5-config
dpkg krb5-config (then specifiy the realm ie. example.com) This will create a file /etc/krb5.conf
To Login
kinit -p pat@EXAMPLE.COM
Klist -list the details of the ticket
apt install lib-pam-krb5
This will add user to pam.d