5

I have configured 3 nodes kafka cluster. Now we want to setup security with Keycloak for kafka. Please let me know what are the ways to do the same.

Question 1: How to implement security for kafka broker to kafka broker with keycloak?

Question 2: How to implement security for kafka client to kafka broker with keycloak?

Note: We had already Keycloak setup.

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
Ashok Kuramdasu
  • 313
  • 4
  • 15

1 Answers1

4

You can configure Kafka to use AUTHBEARER which is implemented in latest kafka release , You can find more info how to configure here .

And also get more information about the feature from Kafka doc

You need to implement org.apache.kafka.common.security.auth.AuthenticateCallbackHandler to get token from keycloak and validate token from Keycloak.

ravthiru
  • 8,878
  • 2
  • 43
  • 52
  • Thanks. OAuthBearer is not generating secure tokens right?. And let's say, if I go with AuthenticateCallbackHandler for keycloak then which grant_type will use for broker to broker and client to broker communication? – Ashok Kuramdasu Nov 30 '18 at 07:19
  • If i implement keycloak in kafka, then how can I validate token in broker and how can I recreate token if it has expired? – Ashok Kuramdasu Dec 03 '18 at 14:08
  • what is your use case is your broker in unsecured network ? there are different ways , one option is you can use offline tokens , where you need to take care of getting refresh tokens every time. http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html – ravthiru Dec 03 '18 at 23:11
  • Thanks for info. Which SASL mechanism needs to use for kafka with keycloak and how can I pass access_token from client to kafka broker? – Ashok Kuramdasu Dec 07 '18 at 07:35