Kafka security
You can improve the Kafka cluster security by having Kafka authenticate connections to brokers from client using either SSL or SASL.
SSL + Kerberos for Kafka clients
Prerequisite: Kafka brokers are configured with SSL and Kerberos. Refer to your Hadoop providers documentation for configuring SSL and Kerberos for Kafka brokers.
SSL+Kerberos is supported by new Kafka consumers and producers. The configuration is the same for consumers and producers. Replace items in red with values specific/relevant to your environment.
For single Kafka clients
Create a file named
consumerConfig.properties
. Add the following properties and copy/move the file/usr/local/unravel/etc
. You can locate your SSL + Kerberos configuration.security.protocol=SASL_SSL sasl.mechanism=GSSAPI sasl.kerberos.service.name=kafka ssl.enabled.protocols=TLSvl.2,TLSvl.l,TLSvl ssl.truststore.location=/usr/java/latest/jre/lib/security/jssecacerts ssl.truststore.password=changeit ssl.keystore.location=/opt/cloudera/security/pki/keystore.jks ssl.keystore.password=changeit sasl.jaas.config=\ com.sun.security.auth.module.Krb5LoginModule required \ useKeyTab=true \ useTicketCache=true \ keyTab="/opt/unravel/kafka.keytab" \ principal="kafka/kafkavm. unraveldata.com@UNRAVELDATA.COM";
Note
Only if Kerberos is enabled, the
security.protocol
isSASL_PLAINTEXT
and the SSL properties can be removed.Copy/move
consumerConfig.properties
to/usr/local/unravel/etc
.Edit
/usr/local/unravel/unravel.properties
. Search for com.unraveldata.ext.kafka.clusters.com.unraveldata.ext.kafka.clusters=
ClusterName
Add the following property using the
ClusterName
from above.com.unraveldata.ext.kafka.
ClusterName
.consumer.config=/usr/local/unravel/etc/consumerConfig.propertiesRestart the Kafka monitor daemon
unravel_km
.service unravel_km restart
For multiple Kafka clients
Warning
Each cluster must have a separate consumerConfig.properties
files.
Open
/usr/local/unravel/unravel.properties
. Search for com.unraveldata.ext.kafka.clusters.The property should be defined with a comma separated list. If there is only one cluster name see above.
com.unraveldata.ext.kafka.clusters=
ClusterName1
,ClusterName2
,ClusterName3
Create a file named
consumerConfig
ClusterName
.properties
for each cluster.security.protocol=SASL_SSL sasl.mechanism=GSSAPI sasl.kerberos.service.name=kafka ssl.enabled.protocols=TLSvl.2,TLSvl.l,TLSvl ssl.truststore.location=/usr/java/latest/jre/lib/security/jssecacerts ssl.truststore.password=changeit ssl.keystore.location=/opt/cloudera/security/pki/keystore.jks ssl.keystore.password=changeit sasl.jaas.config=\ com.sun.security.auth.module.Krb5LoginModule required \ useKeyTab=true \ useTicketCache=true \ keyTab="/opt/unravel/kafka.keytab" \ principal="kafka/kafkavm. unraveldata.com@UNRAVELDATA.COM";
Note
Only if Kerberos is enabled, the
security.protocol
isSASL_PLAINTEXT
and the SSL properties can be removed.Copy/move each file to
/usr/local/unravel/etc
.Edit
/usr/local/unravel/unravel.properties
. For each cluster add the following property.com.unraveldata.ext.kafka.ClusterName.consumer.config=/usr/local/unravel/etc/consumerConfigClusterName.properties
Restart the Kafka monitor daemon
unravel_km
.service unravel_km restart
Kafka authorizations
Unravel consumes messages to topic __consumer_offsets using consumer group UnravelOffsetConsumer.
The following privilege must be granted using sentry:
HOST=*->CONSUMERGROUP=UnravelOffsetConsumer→action=read HOST=*->CONSUMERGROUP=UnravelOffsetConsumer→action=write HOST=*->CONSUMERGROUP=UnravelOffsetConsumer→action=describe HOST=*->TOPIC=__consumer_offsets→action=read HOST=*->TOPIC=__consumer_offsets→action=write HOST=*->TOPIC=__consumer_offsets->action=describe
For further details see Using Kafka with Sentry Authorization in the Cloudera Distribution of Apache Kafka documentation.
The following privilege must be granted using Ranger for the topic __consumer_offsets.
Publish Consume Describe
For further details, see Security - Create a Kafka Policy in the HDP Security Guide.
References
For further information see Apache Kafka documentation chapter # 7 Security.