Kerberos

Kerberos Installation

Kerberos Server:

sudo yum install -y krb5-server

Need to modify 3 config files

1. sudo vi /var/kerberos/krb5kdc/kdc.conf

2. sudo vi /var/kerberos/krb5kdc/kadm5.conf

It is one liner replace it with

*/admin@KAFKA.SECURE *

All every principle with admin for realm (KAFKA_SECURE) all resource

3. sudo ect/krb5.conf

replace the admin_server and ldc urls and provide the log paths

Create Kerberos Database

sudo /usr/sbin/kdb5_util create -s -r KAFKA.SECURE -P this-is-unsecure

-s tab creates the stash file as well where has master/principle -r is realm name

Add Principle/user

sudo kadmin.local -q 'add_principal -pw this-is-unsecure admin/admin'

Here we are passing the query ( -q) with add_priciple with username admin and pwd admin)

Restart the service

sudo systemctl restart krb5kdc

sudo systemctl restart kadmin

Now create New Principle

sudo kadmin.local -q 'add_priciple -randkey reader@KAFKA.SECURE"

this will generate a random password for user reader in realm KAFKA_SECURE

create 2 more users

sudo kadmin.local -q 'add_principal -randkey writer@KAFKA.SECURE'

sudo kadmin.local -q 'add_principal -randkey admin@KAFKA.SECURE"

Create Principle for KAFKA service

sudo kadmin.local -q 'add_principal -randkey kafka/ec2.xx.xxxx@KAFKA.SECURE'

ie. user/hostname@realm (kakfa/ec2...@KAFKA.SECURE)

hostname should be the kafka server hostname

If you have multiple kafka borkers repeat the above query with different hostnames

Here kafa user can be accesses from the hostname specified only. But for the admin user above we have not specified any host as such it can be accessed from any hosts

Export principles to keytab files

sudo kadmin.local -q 'xst -kt /tmp/reader.user.kebtab reader@KAFKA.SECURE'

This will export the principle 'reader' to keytab file

Repeat the same for writer and admin

sudo kadmin.local -q "xst -kt /tmp/writer.user.kebtab writer@KAFKA.SECURE"

sudo kadmin.local -q "xst -kt /tmp/admin.user.kebtab admin@KAFKA.SECURE"

Create key tab for kafka user

sudo kadmin.local -q "xst -kt /tmp/kafka.service.keytab kafka/ec2.xx.xx.@KAFKA.SECURE"

Now copy the keys locally, and upload the kafka keytab to kafka server

IN CLIENT machine which is UBUNTU

1. Install client libraries

export DEBIAN_FRONTEND=noninteractive && sudo apt-get install krb5-user

2. sudo vi krb5.conf

edit the admin_server and the kdc parameters to point to the appropriate server

Test - Get ticket from admin user

kinit -kt /tmp/admin.user.keytab admin

(provides no output if successful)

Note: kinit -kt <keytabfile> without user will list the details of keytab

User klist to see how the ticket cache looks like

klist -kt <keytabfile> will list all the principles in the keytab

Kafka Client configuration

Modifty the server.properties accordingly providing the correct listerners, and sask service name.

Create JAAS Configuration for Kafka server

This will tell how to deal with SASL authentication. There are several implementation of SASL, here we are using Kerberos authentication

KafkaServer {

com.sun.security.auth.module.Krb5LoginModule required

useKeyTab=true

storeKey=true

keyTab="/tmp/kafka.service.keytab"

principal="<<DNS>>@KAFKA.SECURE";

};

Set the JVM environment variable

KAFKA_OPTS=-Djava.security.auth.login.config=<<PATh>>/kafka_server_jaas.conf

vi /etc/systemd/system/kafka.service

Only change is the file is that we are setting the JVM parameters

Ports to be opened

Client

2181 - Zookeeper

9092 - Kafka plaintext

9093 - Kafka SSL port

9094 - Kafka Kerberos port

Server (kerberos)

88 ( both TCP and UDP)

Kafka Client - create the JAAS file similar to Kafka server

vi /tmp/kafka_lcient_jaas.conf

KafkaClient {

com.sun.security.auth.module.Krb5LoginModule required

useTicketCache=true;

};

Create kerberos client properties files

vi /tmp/kafka_client_kerberos.properties

security.protocol=SASL_SSL

sasl.kerberos.service.name=kafka

ssl.truststore.location=/home/gerd/ssl/kafka.client.truststore.jks

ssl.truststore.password=clientpass

export KAFKA_OPTS="-Djava.security.auth.login.config=/tmp/kafka_client_jass.conf"

Producer

- ~/kafka/bin/kafka-console-producer.sh --broker-list ec2.xx.xx.xx:9004 --topic kafka-security-topic --producer-config /tmp/kafka_client_kerberos.properties

Consuer

- ~/kafka/bin/kafka-console-consumer.sh --bootstrap-server ec2.xx.xx.xx:9004 --topic kafka-security-topic --consumer-config /tmp/kafka_client_kerberos.properties

-------------------------------------------

Kerberos requires a hosts name.

Clients require

apt-get krb5-user krb5-config

dpkg krb5-config (then specifiy the realm ie. example.com) This will create a file /etc/krb5.conf

To Login

kinit -p pat@EXAMPLE.COM

Klist -list the details of the ticket

apt install lib-pam-krb5

This will add user to pam.d