Kafka Broker - KDC - Kafka Client & Kerberos Authentication

0
votes

I am trying to understand the intricacies of the kerberos authentication and validation of ticket from kafka broker perspective. I will summarize the steps.

  1. Kafka client authenticate with KDC Server.
  2. Kafka client get the ticket.
  3. Kafka client publishes the message to the broker.
  4. Kafka broker authenticates the client

My question is , will kafka broker validate the ticket that kafka client sends? What exactly happens at the broker side? How does kafka broker aware that, kafka client has sent the valid non expired ticket?

Regards Pavan

1
apache-kafkakerberos
Note: This isn't particularly a Kafka question since any Kerberized environment would act similarly. Plus, Kafka source code is available if you really wanted to know how that part works.OneCricketeer

1 Answers

0
votes

The question is not specific to Kafka, but is related to generic Kerberos Authentication.

What happens here?

  1. Kafka broker has a service account (keytab or username password) as part of its configuration.
  2. This service account has a SPN (Service Principal Name) assigned to it. Such as HTTP/BROKER_FQDN.COM
  3. Client requests a ticket for the SPN of the broker. KDC knows to which user this SPN is attached. KDC generates a ticket and encrypts it using brokers's service account password, and sends this ticket to the client
  4. Client passes this ticket to the broker.
  5. Broker knows that the ticket is encrypted using its own password, and broker has this password, either in keytab or direct password (based on the configuration).
  6. If the broker successfully decrypts the ticket, then the principal is available to the broker and client is said to be authenticated. The ticket validation etc happens after the ticket is decrypted.

This is basic Kerberos functionality.
You can also check Delegation or impersonation feature of Kerberos which can be used for particular use cases.