0

I trying to make Apache Kafka protected using SASL_SSL and GSSAPI mecanism. Everythnig is workin properly apart from the fact that the Authentication names used by Kafka are the "pre-windows 2000" formatted names instead of the "standard" new ones.

For instance, I declare a new kafka broker in our Active Directory (I forgot to say that it's a Windows 10 version...):

User logon Name: kafka/kafka1.myfqdn.com@MYFQDN.COM

User logon name (pre-Windows 2000): FAKE_USER1

![Image

When I login into kafka using this user keytab, I have this into the logs:

[2020-11-21 17:05:50,168] INFO Successfully authenticated client: authenticationID=FAKE_USER1@MYFQDN.COM; authorizationID=kafka/kafka1.myfqdn.com@MYFQDN.COM. (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
[2020-11-21 17:09:50,909] INFO [GroupMetadataManager brokerId=1] Removed 0 expired offsets in 0 milliseconds. (kafka.coordinator.group.GroupMetadataManager)
[2020-11-21 17:12:00,672] INFO Successfully authenticated client: authenticationID=FAKE_USER1@MYFQDN.COM; authorizationID=kafka/kafka1.myfqdn.com@MYFQDN.COM. (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
[2020-11-21 17:12:00,772] INFO Successfully authenticated client: authenticationID=FAKE_USER1@MYFQDN.COM; authorizationID=kafka/kafka1.myfqdn.com@MYFQDN.COM. (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
[2020-11-21 17:12:00,799] DEBUG No acl found for resource ResourcePattern(resourceType=CLUSTER, name=kafka-cluster, patternType=LITERAL), authorized = false (kafka.authorizer.logger)
[2020-11-21 17:12:00,799] INFO Principal = User:FAKE_USER1 is Denied Operation = DescribeConfigs from host = xxx.xxx.xxx.xxx on resource = Cluster:LITERAL:kafka-cluster for request = DescribeConfigs with resourceRefCount = 1 (kafka.authorizer.logger)

Of course, the Denied at the end is normal because my rules expect to extract "kafka" from the kafka/kafka1.myfqdn.com@MYFQDN.COM user.

Could you tell me what I do not do properly ?

Jerome
  • 61
  • 9
  • Maybe this post could be an inspiration: https://stackoverflow.com/questions/59469864/kafka-zookeeper-active-directory – Samson Scharfrichter Nov 22 '20 at 11:50
  • Thanks for the advise. Unfortunately no. As far as I'm concerned, authentication works. The issue for me is that the user reported is not the "long" one as it should be: kafka/kafka1.myfqdn.com@MYFQDN.COM – Jerome Nov 22 '20 at 21:22
  • Ah. So you assume that _"your rules"_ are correct. You mean some custom `auth_to_local` Kerberos rules? These are quite tricky to set up... – Samson Scharfrichter Nov 22 '20 at 23:18
  • Yes, I just add a picture to better explain. My issue is that the Sasl authentication mechanism extract user 'kafka1' instead of user 'kafka/kafka1.myfqdn.com@MYFQDN.COM' ... and I don't know why :-( – Jerome Nov 23 '20 at 07:37
  • https://docs.confluent.io/2.0.1/kafka/sasl.html#enabling-logging-for-sasl _... `sun.security.krb5.debug` system property ... – Samson Scharfrichter Nov 24 '20 at 08:38
  • Actually `java.security.debug=gssloginconfig,configfile,configparser,logincontext` is more useful to troubleshoot configuration issues (since these issues are not displayed by default and JAAS reverts silently to defaults...) – Samson Scharfrichter Nov 24 '20 at 08:41
  • You might want to investigate `sasl.kerberos.principal.to.local.rules` cf. https://docs.confluent.io/platform/current/kafka/authorization.html#sasl-kerberos-principals and https://docs.cloudera.com/runtime/7.2.1/kafka-securing/topics/kafka-secure-kerberos-enable.html – Samson Scharfrichter Nov 24 '20 at 08:51
  • Why do you use a SPN as a UPN? This does not make sense in Active Directory terms. – Michael-O Dec 03 '20 at 07:26
  • Dear @Michael-O, could you elaborate please I do not understand why you think that I use SPN as UPN ? – Jerome Dec 22 '20 at 07:52
  • By the way, I edited again my first post to remove any ambiguity with the different names. – Jerome Dec 22 '20 at 08:22
  • @Jerome I have answered this question already on SO. Please search. – Michael-O Dec 22 '20 at 09:03

0 Answers0