Re: SASL and SSL

Fri, 26 May 2017 09:40:59 -0700 

Hi Kaufman,

Thanks for the blog link. It definitely helped clear up a few things, but I
was struggling to understand the behavior I was seeing where clients were
still able to establish an SSL connection after SASL authentication even
when trust store config was not set at the client side and ssl.client.auth
was enabled.

I found KAFKA-3166 which explained why ssl.client.auth was ignored, but it
didn't explain why clients were still able to connect to the Kafka broker
over a SASL_SSL port without providing trust store config. I wrote a
detailed explanation about this in another mail I sent out ("Question with
regards to KAFKA-3166"). I would be curious to know your thoughts on it.

Regards,

Waleed Fateem

On Thu, May 25, 2017 at 8:49 AM, Kaufman Ng <kauf...@confluent.io> wrote:

> Ismael also wrote this security blog post about Kafka security. Hope you
> find it useful:
> https://www.confluent.io/blog/apache-kafka-security-
> authorization-authentication-encryption/
>
>
> On Thu, May 25, 2017 at 12:04 AM, Waleed Fateem <waleed.fat...@gmail.com>
> wrote:
>
> > For completion, I saw Ismael Juma post an answer which contains the
> > information I was looking for:
> >
> > http://comments.gmane.org/gmane.comp.apache.kafka.user/15140
> >
> > SASL_SSL -> authentication using SASL AND connection is encrypted using
> > SSL.
> >
> > On Wed, May 24, 2017 at 7:37 PM, Waleed Fateem <waleed.fat...@gmail.com>
> > wrote:
> >
> > > Hello!
> > >
> > > I'm not very clear on the behavior that we should expect when we
> > configure
> > > Kafka to use the protocol SASL_SSL.
> > >
> > > Is SASL or SSL mutually exclusive here or can I authenticate with SASL
> > and
> > > use SSL for encryption?
> > >
> > > If the latter is true, then is it correct to assume that encryption
> will
> > > take place using SSL if a client authenticates using a Kerberos ticket
> so
> > > long as they have a trust store configured?
> > >
> > > Thank you.
> > >
> > > Waleed
> > >
> >
>
>
>
> --
> Kaufman Ng
> +1 646 961 8063
> Solutions Architect | Confluent | www.confluent.io
>

Reply via email to