kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Brown <brownjoe...@gmail.com>
Subject Simple Auth and Auth
Date Thu, 23 Jan 2014 19:07:40 GMT
Hi All

I’ve been looking at the wiki proposal to add Auth and Auth to kafka https://cwiki.apache.org/confluence/display/KAFKA/Security


In the meantime I’ve had a recent immediate requirement to implement something similar -
my solution is detailed below - fairly quick and dirty but achieved the desired results. 
At the moment the code is branched off the 0.8-beta - though to move to 0.8.0 is trivial -
the question is when will the https://cwiki.apache.org/confluence/display/KAFKA/Security be
looked at, if this is a ways off then I could consider creating a patch and pull request for
my code.

FYI my requirements were very specific - for example no encryption of the data, changes minimised
- easy to re-apply to future releases.
Authentication

Authentication is achieved by passing the client’s public certificate along with a message,
signed by the client’s private key, every time the client opens a connection to a broker.
The underlying Apache Kafka BlockingChannel was altered to ensure the connection is only established
on a successful authentication response from the broker. 

The broker, to authenticate the client, first verifies the client’s public certificate against
the issuing CA certificate held in the broker truststore. The broker then uses the verified
client’s certificate to verify the signed message from the client. On authentication by
the broker the successful authentication response is sent to the client. The client DN is
then registered against the client connection as trusted by the broker.

- Use of standard java.security.* and java.security.cert.* classes were used for Authentication
Authorization

Authorization is controlled by the file referenced by the property “auth.config.path”
configured on the broker. On broker initialization the file is read, changes to this file
will be reloaded at intervals defined by the “auth.file.watch.seconds" property.

Both Producer (produce) and Consumer (fetch) Requests are intercepted on the broker to check
whether the client connection is authenticated and then whether the associated client DN has
the permission to read (fetch) or write (produce) from/to the given topic.

- Uses simple json config file for authorization

Thoughts please?

Cheers

Joe
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message