Zookeeper and Kafka with SASL security

2
votes

I've setup a Kafka cluster with SASL SCRAM security, and it's working fine.

Per the documentation, I have used the command kafka-configs.sh to create a username and password and grant that user access to a topic.

That also works great.

However, the kafka-configs.sh command doesn't require any kind of authentication itself, so it occurs to me that ANYONE could run that command and create their own user in Kafka and grant their own permissions.

Perhaps I need to enable SASL security on Zookeeper? But I can't find any consistent or working documentation on how to do that. Adding properties to zookeeper.config like requireclientauthscheme=sasl doesn't seem to do anything. Or at least it doesn't stop kafka-configs.sh from creating new users in zookeeper without any sort of authentication.

Am I even going down a viable path here? Or do I need to back up and do something different?

For reference, I'm using Kafka 1.0.0 and Zookeper 3.4.11. But I'm flexible on versions if some other version works better.

Any help appreciated! :)

Thanks!

1
apache-kafkaapache-zookeepersasl

1 Answers

3
votes

I've finally hacked through a solution for this. :)

Basically, you need to use Zookeeper's on setAcl command to lock down the node /config/users. The documentation of how to use SASL to authenticate a Zookeeper ACL is poor at best. The normal Zookeeper mechanism of using addauth to authenticate doesn't work with SASL, because SASL has to happen at startup, not later as Zookeeper expects.

The syntax for setAcl is tricky, and if you get it wrong you can lock yourself out forever. So be careful. But Zookeeper does have a way to inject a super-user at startup to get yourself out of situations like that.

So for your kafka-configs.sh, you have to specify the -Djava.security.auth.login.config=[some file] parameter to pass in your client credentials to Zookeeper. And the server credentials are likewise in the JAAS file on the Zookeeper server.

I can provide additional technical details on my solution if anyone needs them, but somehow I suspect I'm one of the few people trying to seriously secure Kafka and Zookeeper using SASL_SCRAM. :)

I do hope SASL_SCRAM catches on though, because Kerberos is a three-headed beast of a technology that I'd rather not use unless I have to. :P