kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sriharsha Chintalapani (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos
Date Tue, 04 Nov 2014 17:39:34 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14196422#comment-14196422

Sriharsha Chintalapani commented on KAFKA-1686:

[~junrao] I was thinking of using jaas.conf which is what we used for storm http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html.
It allows the service to renewTGT. Kerberos tickets can be valid for more than 10hrs it depends
the config /etc/krb5.conf. We can have renewTicket thread that checks for the current ticket_lifetime
and renew_lifetime and renews if the current ticket lifetime expired.
Each broker will run with its own keytab kafkabroker/_HOST@REALM. If you are using service
keytab they should've grant all permissions  in permissions manager. This could be as simple
as setting a config option in permission manager where you can whitelist a principal as admin
and use that principal for brokers. 
For example:
      kafka.admins: "kafkabroker"
and run all the brokers with kafkabroker/_HOST@REALM.
User needs to be careful in setting keytab permissions so that service keytabs cannot be accessed
by regular user to impersonate a kafkabroker and gain all access. 

> Implement SASL/Kerberos
> -----------------------
>                 Key: KAFKA-1686
>                 URL: https://issues.apache.org/jira/browse/KAFKA-1686
>             Project: Kafka
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 0.9.0
>            Reporter: Jay Kreps
>            Assignee: Sriharsha Chintalapani
>             Fix For: 0.9.0
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair to the client
protocol. This request and response will each have only a single byte[] field and will be
used to handle the SASL challenge/response cycle. Doing this will initialize the SaslServer
instance and associate it with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap and unwrap
bytes as in KAFKA-1684 so the same interface that covers the SSLEngine will need to also cover
the SaslServer instance.

This message was sent by Atlassian JIRA

View raw message