Securing Kafka and Zookeeper with Kerberos

Question

I'm trying to setup a kerberos identification between zookeeper and kafka.

I have followed the configuration steps available here : https://docs.confluent.io/4.1.1/kafka/authentication_sasl_gssapi.html#sasl-gssapi-broker.

The kafka brokers successfully connect to the zookeeper ensemble and the brokers are setting ACLs on znodes.

In Zookeeper, I can see the znodes /brokers/ids, but the ACLs are set like this :

'world,'anyone
: r
'sasl,'kafka/kafka-broker-01.c.aesthetic-way-193809.internal@MYREALM.COM
: cdrwa

The first broker creates the znode, put its ACL and make it unmodiafiable for all nodes that want to add their ids.

The docs says that we should use the same principal for all the brokers but the example of the documentation does not match this recommendation :

 // ZooKeeper client authentication
 Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   keyTab="/etc/security/keytabs/kafka_server.keytab"
   principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
};

Shoud I create a principal like kafka_zk_cli@MYREALM.COM and use it the Client section of my JAAS file on each broker ? If yes can I share the keytab for this user on each broker ?

Thanks for the help.

Does this reference help? https://docs.confluent.io/current/tutorials/security_tutorial.html#security-tutorial — Robin Moffatt, Jun 13 '18 at 05:14
Thanks for the documentation but it talks about plain authentication. I need to setup it with Kerberos. I manage to make it work by using the same principal for all kafka brokers in the Client section of the JAAS configuration. It seems that this [doc](https://docs.confluent.io/current/kafka/authentication_sasl_gssapi.html#jaas) is not completely correct. — vespasien, Jun 13 '18 at 13:35

score 2 · Accepted Answer · edited Nov 26 '19 at 14:15

2

You can drop the host from the principal and use the same one for all brokers, you can set acls manually (not ideal), or you can add these to your zookeeper configuration as well

kerberos.removeHostFromPrincipal = true
kerberos.removeRealmFromPrincipal = true

Any of those three options should help here.

edited Nov 26 '19 at 14:15

Gray

115,027
24
293
354

answered Jun 14 '18 at 01:38

dawsaw

2,283
13
10

1

Thanks. I used the same principal for all the brokers for zookeeper connection and it works. I used kerberos.removeHostFromPrincipal but it didn't change anything. I should try to use in conjunction with kerberos.removeRealmFromPrincipal. – vespasien Jul 17 '18 at 15:06

score 0 · Answer 2 · answered Aug 19 '19 at 14:48

The properties kerberos.removeHostFromPrincipal, kerberos.removeRealmFromPrincipal were not working for me. After going through the source code of zookeeper version 3.4.14 I passed the above property as an JVM argument such as

-Dzookeeper.kerberos.removeHostFromPrincipal=true
-Dzookeeper.kerberos.removeRealmFromPrincipal=true

Also In my case as it was the case of cross realm ticket authetication, I added the auth rules like :

-Dzookeeper.security.auth_to_local=RULE:[2:$1](.*)

Have a look at the class https://github.com/apache/zookeeper/blob/release-3.4.14/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java

Now my topics ACLS look like this

getAcl /kafka-cluster/config/topics/test20
'world,'anyone
: r
'sasl,'zookeeper
: cdrwa

Securing Kafka and Zookeeper with Kerberos

2 Answers2