-
Notifications
You must be signed in to change notification settings - Fork 203
SASL gssapi (kerberos) authentication
zmstone edited this page Aug 1, 2024
·
3 revisions
NOTE: here is a more up to date version example https://github.com/kafka4beam/brod_gssapi/pull/6
Follow the steps here: http://docs.confluent.io/current/cp-docker-images/docs/tutorials/clustered-deployment-sasl.html to bring up kerberos, zookeeper, and kafka cluster.
# work directory: cp-docker-images/examples/kafka-cluster-sasl/secrets
openssl req -passin "pass:confluent" -passout "pass:confluent" -newkey rsa:2048 -sha256 -keyout brod.key -out brod.csr -days 3650 -nodes -subj '/CN=brod.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/S=Ca/C=US'
openssl x509 -req -CA snakeoil-ca-1.crt -CAkey snakeoil-ca-1.key -in brod.csr -out brod.crt -days 3650 -CAcreateserial
# work directory: cp-docker-images/examples/kafka-cluster-sasl/secrets
docker exec -it kerberos kadmin.local -q "addprinc -randkey brod/[email protected]"
docker exec -it kerberos kadmin.local -q "ktadd -norandkey -k /tmp/keytab/brod.keytab brod/[email protected]"
# IMPORTANT: make a copy of this file before change owner
# i.e. not to share this file with kerberos docker container
sudo cp brod.keytab /tmp/brod.keytab
# Make sure the current user can read this file
sudo chown $(stat -c "%U:%G" .) /tmp/brod.keytab
# work directory: cp-docker-images/examples/kafka-cluster-sasl/secrets
export KRB5_CONFIG=$(pwd)/krb.conf
See https://github.com/ElMaxo/brod_gssapi
Cyrus-sasl is required to make brod_gssapi
compile. For example, in centos7:
sudo yum install cyrus-sasl-devel
Start a Erlang shell with ebin directories of brod
and brod_gssapi
(and their dependencies) added to code path
Then evaluate below expressions to verify sasl-gssapi authentication.
Dir="/tmp". %% Change to the directory where cp-docker-images is cloned
CaCert = Dir ++ "/cp-docker-images/examples/kafka-cluster-sasl/secrets/snakeoil-ca-1.crt".
Cert = Dir ++ "/cp-docker-images/examples/kafka-cluster-sasl/secrets/brod.crt".
Key = Dir ++ "/cp-docker-images/examples/kafka-cluster-sasl/secrets/brod.key".
%% The keytab file generated from kerberos docker is by default owned by root with mode 600
%% make sure the current user can read this file
KeyTab = <<"/tmp/brod.keytab">>.
Principal = <<"brod/[email protected]">>.
brod:start_client([{"quickstart.confluent.io", 29094}], client1,
[{ssl, [{cacertfile, CaCert}, {certfile, Cert}, {keyfile, Key}]},
{sasl, {callback, brod_gssapi, {gssapi, KeyTab, Principal}}}]).