How to enable security in a Kafka cluster without having downtime

Question

We have a Kafka cluster in production without any security. We plan to turn on security (SASL/OAUTHBEARER) on the broker side. But looks like as soon as we turn on broker side security all the insecure client will be dropped immediately. For smooth transition from insecure to secure cluster, without any downtime, we want Kafka clients to first enable security. And once all our clients have migrated, we can turn on security on the broker level. However I do not find a way secure clients can talk to an insecure broker. Has anyone done this? Any ideas on smooth migration to security in production?

Giorgos Myrianthous · Answer 1 · 2020-02-26T09:13:30.780

In Kafka 2.0, the following protocol combinations are allowed:

+------------------+-------+-----------+
|                  |  SSL  |  Kerberos |
+------------------+-------+-----------+
| PLAINTEXT        |  No   |    No     |
| SSL              |  Yes  |    No     |
| SASL_PLAINTEXT   |  No   |    Yes    |
| SASL_SSL         |  Yes  |    Yes    |
+------------------+-------+-----------+

Those combinations are applicable for both broker-to-broker and broker-to-client but the key config here is security.inter.broker.protocol that does not have to be the same for broker-to-broker and broker-to-client. This means that we can enable security in a Kafka Cluster without having any downtime.

Enabling Kerberos

Step 1: Disable security for broker-to-broker

security.inter.broker.protocol=PLAINTEXT

Step 2: Enable Kerberos for broker-to-client in server.properties
Step 3: Do a rolling restart
Step 4: Enable Kerberos for broker-to-broker

security.inter.broker.protocol=SASL_PLAINTEXT

Enabling SSL

Step 1: Disable security for broker-to-broker

security.inter.broker.protocol=PLAINTEXT

Step 2: Enable SSL for broker-to-client in server.properties
Step 3: Do a rolling restart
Step 4: Enable SSL for broker-to-broker

security.inter.broker.protocol=SSL

The clients will still have downtime... You would need to generate, distribute, and setup certs. Also, these settings are different from oauth bearer — OneCricketeer, Feb 26 '20 at 07:42

score 0 · Answer 2 · answered Mar 05 '20 at 22:46

0

Setting the following property in server.properites will allow insecure clients to connect to port 9097 and secure clients to connect to port 9096.

listeners=SASL_PLAINTEXT://:9096,PLAINTEXT://:9097

answered Mar 05 '20 at 22:46

KafkaNoob

21
3

How to enable security in a Kafka cluster without having downtime

2 Answers2