MG>confusion between JAAS-security terminology and Kafka-SASL terminology?
________________________________ From: Stephane Maarek <steph...@simplemachines.com.au> Sent: Sunday, February 19, 2017 7:28 PM To: users@kafka.apache.org Subject: Security Documentation contradiction / misleading ? Hi, I’m wondering if the official Kafka documentation is misleading. Here ( https://kafka.apache.org/documentation/#security_sasl_brokernotes) you can Apache Kafka documentation - kafka.apache.org<https://kafka.apache.org/documentation/#security_sasl_brokernotes> kafka.apache.org 1.2 Use Cases. Here is a description of a few of the popular use cases for Apache Kafka™. For an overview of a number of these areas in action, see this blog post. read: 1. Client section is used to authenticate a SASL connection with zookeeper. It also allows the brokers to set SASL ACL on zookeeper nodes which locks these nodes down so that only the brokers can modify it. * It is necessary to have the same principal name across all brokers.* MG>hostnames are not same which errors out addprinc Principal for broker on second host e.g sudo /usr/sbin/kadmin.local -q ‘addprinc -randkey kafka/{hostname}@{REALM}’ If you want to use a section name other than Client, set the system property zookeeper.sasl.client to the appropriate name (*e.g.*, -Dzookeeper.sasl.client=ZkClient). And then right here https://kafka.apache.org/documentation/#security_sasl_kerberos_brokerconfig the Apache Kafka documentation - kafka.apache.org<https://kafka.apache.org/documentation/#security_sasl_kerberos_brokerconfig> kafka.apache.org 1.2 Use Cases. Here is a description of a few of the popular use cases for Apache Kafka™. For an overview of a number of these areas in action, see this blog post. suggested JAAS file is: // Zookeeper client authentication Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_server.keytab"* principal="kafka/kafka1.hostname....@example.com <kafka1.hostname....@example.com>"; * }; MG>multiple principals means multiple AccessControlEntry entries MG>so this JAAS structure must be an acl (list of declared ACEs) Which in my opinion shows that every broker should have a different principal name to connect to Zookeeper. MG>makes sense since each principal will allow or deny capability for the broker hostname MG>mapping from broker to principal is 1:1 as explained here: https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/ Apache Kafka Security 101 - Confluent<https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/> www.confluent.io Apache Kafka is frequently used to store critical data making it one of the most important components of a company’s data infrastructure. Our goal is to make it ... Is that misleading, or am I missing something? MG>possible documentation error @ * It is necessary to have the same principal name across all brokers.* MG>Ismael can you correct? Thanks, Stephane MG>Thanks Stephane! MG>Martin
