5.Security

The Kafka community added a number of features that, used either separately or together, increases security in a Kafka cluster. The following security measures are currently supported by Kafka Eagle:

SASL/GSSAPI (Kerberos)
SASL/PLAIN
SASL/SCRAM-SHA-256
SASL/OAUTHBEARER
SSL
CGROUPS(SASL & SSL)

How To Use SASL And SSL Security On Multi-Cluster

1.Kerberos

1.1 Setting Kafka Eagle System File

Kafka Eagle system-config.properties file setting:

######################################
# kafka  sasl authenticate
######################################
cluster1.kafka.eagle.sasl.enable=true
cluster1.kafka.eagle.sasl.protocol=SASL_PLAINTEXT
cluster1.kafka.eagle.sasl.mechanism=GSSAPI
cluster1.kafka.eagle.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_client.keytab" principal="[email protected]";
# make sure there is a local ticket cache ```klist -l``` to view
# cluster1.kafka.eagle.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true renewTicket=true serviceName="kafka-eagle.org";

# if your kafka cluster doesn't require it, you don't need to set it up
# cluster1.kafka.eagle.sasl.client.id=

2.PLAIN

2.1 Setting Kafka Eagle System File

Kafka Eagle system-config.properties file setting:

######################################
# kafka  sasl authenticate
######################################
cluster1.kafka.eagle.sasl.enable=true
cluster1.kafka.eagle.sasl.protocol=SASL_PLAINTEXT
cluster1.kafka.eagle.sasl.mechanism=PLAIN
cluster1.kafka.eagle.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="kafka" password="kafka-eagle";
# if your kafka cluster doesn't require it, you don't need to set it up
# cluster1.kafka.eagle.sasl.client.id=

3.SCRAM-SHA-256

3.1 Setting Kafka Eagle System File

Kafka Eagle system-config.properties file setting:

######################################
# kafka  sasl authenticate
######################################
cluster1.kafka.eagle.sasl.enable=true
cluster1.kafka.eagle.sasl.protocol=SASL_PLAINTEXT
cluster1.kafka.eagle.sasl.mechanism=SCRAM-SHA-256
cluster1.kafka.eagle.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="kafka" password="kafka-eagle";
# if your kafka cluster doesn't require it, you don't need to set it up
# cluster1.kafka.eagle.sasl.client.id=

4.OAUTHBEARER

4.1 Setting Kafka Eagle System File

If you use this authentication, you need to make sure that your Kafka cluster version is after 2.x, Kafka Eagle system-config.properties file setting:

######################################
# kafka  sasl authenticate
######################################
cluster1.kafka.eagle.sasl.enable=true
cluster1.kafka.eagle.sasl.protocol=SASL_PLAINTEXT
cluster1.kafka.eagle.sasl.mechanism=OAUTHBEARER
cluster1.kafka.eagle.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required unsecuredLoginStringClaim_sub="kafka-eagle";
# if your kafka cluster doesn't require it, you don't need to set it up
# cluster1.kafka.eagle.sasl.client.id=

5.SSL

5.1 Setting Kafka Eagle System File

If you use this authentication(ssl), you need to make sure that your Kafka cluster version is after 2.x, Kafka Eagle system-config.properties file setting:

######################################
# kafka ssl authenticate
######################################
cluster3.kafka.eagle.ssl.enable=true
cluster3.kafka.eagle.ssl.protocol=SSL
# kafka server.properties "ssl.truststore.location" value
cluster3.kafka.eagle.ssl.truststore.location=/data/kafka/ssl/certificates/kafka.truststore
# kafka server.properties "ssl.truststore.password" value
cluster3.kafka.eagle.ssl.truststore.password=ke123456
# kafka server.properties "ssl.keystore.location" value
cluster3.kafka.eagle.ssl.keystore.location=/data/kafka/ssl/certificates/kafka.keystore
# kafka server.properties "ssl.keystore.password" value
cluster3.kafka.eagle.ssl.keystore.password=ke123456
# kafka server.properties "ssl.key.password" value
cluster3.kafka.eagle.ssl.key.password=ke123456

How To Use SASL And SSL CGroups Topics On Multi-Cluster

When using permission authentication (such as SASL Or SSL), the user you are using only supports managing a limited number of kafka topics. You can enable the following properties:

# SASL
cluster1.kafka.eagle.sasl.cgroup.enable=true
cluster1.kafka.eagle.sasl.cgroup.topics=topic1,topic2,topic3

# SSL
cluster2.kafka.eagle.ssl.cgroup.enable=true
cluster2.kafka.eagle.ssl.cgroup.topics=topic4,topic5,topic6

Previous4.Configuration Next3.Quick Start

Last updated 5 years ago

hashtagHow To Use SASL And SSL Security On Multi-Cluster

hashtag1.Kerberos

hashtag1.1 Setting Kafka Eagle System File

hashtag2.PLAIN

hashtag2.1 Setting Kafka Eagle System File

hashtag3.SCRAM-SHA-256

hashtag3.1 Setting Kafka Eagle System File

hashtag4.OAUTHBEARER

hashtag4.1 Setting Kafka Eagle System File

hashtag5.SSL

hashtag5.1 Setting Kafka Eagle System File

hashtagHow To Use SASL And SSL CGroups Topics On Multi-Cluster

How To Use SASL And SSL Security On Multi-Cluster

1.Kerberos

1.1 Setting Kafka Eagle System File

2.PLAIN

2.1 Setting Kafka Eagle System File

3.SCRAM-SHA-256

3.1 Setting Kafka Eagle System File

4.OAUTHBEARER

4.1 Setting Kafka Eagle System File

5.SSL

5.1 Setting Kafka Eagle System File

How To Use SASL And SSL CGroups Topics On Multi-Cluster