Hi Martin, I’m having a bit of trouble reading your email. Per my understanding, if you set zookeeper.set.acl=true, then the zk nodes have to be owned by the kafka brokers. Say in a two broker setting kafka/kafka1.example.com & kafka/ kafk2.example.com , you’re going to have an issue. If I do Client section using the principals name as above, I will get the following:
[zk: localhost:2181(CONNECTED) 1] getAcl /admin 'world,'anyone : r 'sasl,'kafka/kafka1.example....@example.com : cdrwa Basically, the second broker will never be able to write or change the node as it’s owned by the first one. Per my understanding Zookeeper nodes ownership if different from ACL and how Kafka broker authorize each other’s replication operations (by creating acl nodes). And that’s why I understand the documentation recommends to have the same SPN across all brokers to connect to Zookeeper in the Client section. Am I missing something? Regards, Stephane On 21 February 2017 at 12:20:58 am, Martin Gainty (mgai...@hotmail.com) wrote: MG>confusion between JAAS-security terminology and Kafka-SASL terminology? ________________________________ From: Stephane Maarek <steph...@simplemachines.com.au> Sent: Sunday, February 19, 2017 7:28 PM To: users@kafka.apache.org Subject: Security Documentation contradiction / misleading ? Hi, I’m wondering if the official Kafka documentation is misleading. Here ( https://kafka.apache.org/documentation/#security_sasl_brokernotes) you can Apache Kafka documentation - kafka.apache.org< https://kafka.apache.org/documentation/#security_sasl_brokernotes> kafka.apache.org 1.2 Use Cases. Here is a description of a few of the popular use cases for Apache Kafka™. For an overview of a number of these areas in action, see this blog post. read: 1. Client section is used to authenticate a SASL connection with zookeeper. It also allows the brokers to set SASL ACL on zookeeper nodes which locks these nodes down so that only the brokers can modify it. * It is necessary to have the same principal name across all brokers.* MG>hostnames are not same which errors out addprinc Principal for broker on second host e.g sudo /usr/sbin/kadmin.local -q ‘addprinc -randkey kafka/{hostname}@{REALM}’ If you want to use a section name other than Client, set the system property zookeeper.sasl.client to the appropriate name (*e.g.*, -Dzookeeper.sasl.client=ZkClient). And then right here https://kafka.apache.org/documentation/#security_sasl_kerberos_brokerconfig the Apache Kafka documentation - kafka.apache.org< https://kafka.apache.org/documentation/#security_sasl_kerberos_brokerconfig> kafka.apache.org 1.2 Use Cases. Here is a description of a few of the popular use cases for Apache Kafka™. For an overview of a number of these areas in action, see this blog post. suggested JAAS file is: // Zookeeper client authentication Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_server.keytab"* principal="kafka/kafka1.hostname....@example.com <kafka1.hostname....@example.com>"; * }; MG>multiple principals means multiple AccessControlEntry entries MG>so this JAAS structure must be an acl (list of declared ACEs) Which in my opinion shows that every broker should have a different principal name to connect to Zookeeper. MG>makes sense since each principal will allow or deny capability for the broker hostname MG>mapping from broker to principal is 1:1 as explained here: https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/ Apache Kafka Security 101 - Confluent< https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/> www.confluent.io Apache Kafka is frequently used to store critical data making it one of the most important components of a company’s data infrastructure. Our goal is to make it ... Is that misleading, or am I missing something? MG>possible documentation error @ * It is necessary to have the same principal name across all brokers.* MG>Ismael can you correct? Thanks, Stephane MG>Thanks Stephane! MG>Martin
