How to configure Kafka server with SASL_SSL and GSSAPI protocols

Question

I am new to Apache Kafka, and here is what I have done so far,

1. Downloaded kafka_2.12-2.1.0

2. Make Batch file for Zookeeper to run zookeeper server:

   start kafka_2.12-2.1.0.\bin\windows\zookeeper-server-start.bat kafka_2.12-2.1.0.\config\zookeeper.properties

3. Make Batch File for Apache Kafka server

   start kafka_2.12-2.1.0\bin\windows\kafka-server-start.bat kafka_2.12-2.1.0\config\server.properties

4. Started A Producer using batch file.

   start kafka_2.12-2.1.0.\bin\windows\kafka-console-producer.bat --broker-list localhost:9092 --topic 3drocket-player

It is running fine but now I am looking for authentication. As I have to implement a consumer with specific auth settings (requirement by the client). Like security protocol is SASL_SSL and SSL mechanism is GSSAPI. For this reason, I tried to search and find confluet documentation but the problem is it is too abstract that how to take each and every step.

I am looking for detail configuration steps according to my setup. How to configure my kafka server with SASL SSL and GSSAPI protocol. Initially I found that GSSAPI/Keberos has a separate server then, do i need to install more server? Within Confluent Kafka is there any built-in solution.

Answer 1

Configure a SASL port in server.properties

e.g)

listeners=SASL_SSL://host.name:port
security.inter.broker.protocol=SASL_SSL
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafka
ssl.keystore.location=/path/to/keystore.jks
ssl.keystore.password=keystore_password
ssl.truststore.location=/path/to/truststore.jks
ssl.truststore.password=truststore_password
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1

https://kafka.apache.org/documentation/#security_configbroker https://kafka.apache.org/documentation/#security_sasl_config

Client: When you run the Kafka client, you need to set these properties.

security.protocol=SASL_SSL
ssl.truststore.location=/path/to/truststore.jks
ssl.truststore.password=truststore_password
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka

https://kafka.apache.org/documentation/#security_configclients https://kafka.apache.org/documentation/#security_sasl_kerberos_clientconfig

Then configure the JAAS configuration

KafkaClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="path/to/kafka_client.keytab"
   storeKey=true
   useTicketCache=false
   principal="kafka-client-1@EXAMPLE.COM";
};

Answer 2

... SASL/GSSAPI is for organizations using Kerberos (for example, by using Active Directory). You don’t need to install a new server just for Apache Kafka®. Ask your Kerberos administrator for a principal for each Kafka broker in your cluster and for every operating system user that will access Kafka with Kerberos authentication (via clients and tools). https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_gssapi.html#kafka-sasl-auth-gssapi ....