You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by Giuseppe Ricci Sysman <ri...@sys-man.it> on 2021/11/12 12:07:55 UTC

New on security on Apache Kafka

Hi,

 

I'm new on security in Apache Kafka. I have Apache Kafka (v. 2.13-3.0.0)
installed on a remote Ubuntu server. I need to secure the communications
with producer-kafka broker and kafka broker-consumer.

I try to follow the tutorial on Kafka documentation:

 

https://kafka.apache.org/documentation/#security_overview

 

and this tutorial which is more detailed:

 

https://medium.com/egen/securing-kafka-cluster-using-sasl-acl-and-ssl-dec15b
439f9d

 

but when I try to restart kafka server with the commands:

 

export
KAFKA_OPTS=-Djava.security.auth.login.config=/home/kafka/Downloads/kafka_2.1
3-3.0.0/config/kafka_server_jaas.conf

./bin/kafka-server-start.sh ./config/server.properties

 

I receive the error:

 

kafka@kafka2:~/Downloads/kafka_2.13-3.0.0$
<mailto:kafka@kafka2:~/Downloads/kafka_2.13-3.0.0$>  sudo
./bin/kafka-server-start.sh ./config/server.properties

[2021-11-12 11:45:46,995] INFO Registered kafka:type=kafka.Log4jController
MBean (kafka.utils.Log4jControllerRegistration$)

[2021-11-12 11:45:47,183] INFO Setting -D
jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated
TLS renegotiation (org.apache.zookeeper.common.X509Util)

[2021-11-12 11:45:47,192] ERROR Exiting Kafka due to fatal exception
(kafka.Kafka$)

java.lang.ClassNotFoundException: kafka.security.auth.SimpleAclAuthorizer

        at
java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoade
r.java:606)

        at
java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoa
ders.java:168)

        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)

        at java.base/java.lang.Class.forName0(Native Method)

        at java.base/java.lang.Class.forName(Class.java:468)

        at org.apache.kafka.common.utils.Utils.loadClass(Utils.java:417)

        at org.apache.kafka.common.utils.Utils.newInstance(Utils.java:406)

        at
kafka.security.authorizer.AuthorizerUtils$.createAuthorizer(AuthorizerUtils.
scala:31)

        at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1583)

        at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1394)

        at kafka.Kafka$.buildServer(Kafka.scala:67)

        at kafka.Kafka$.main(Kafka.scala:87)

        at kafka.Kafka.main(Kafka.scala)

 

It seems the class SimpleAclAuthorizer is not found.

Can it be to a wrong configuration?

 

These are my SSL configs in the file server.properties:

 

########### SECURITY using SCRAM-SHA-512 and SSL ###################

listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9093,SASL_SS
L://localhost:9094

advertised.listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9
093,SASL_SSL://localhost:9094

security.inter.broker.protocol=SASL_SSL

ssl.endpoint.identification.algorithm=

ssl.client.auth=required

sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512

sasl.enabled.mechanisms=SCRAM-SHA-512

 

# Broker security settings

ssl.truststore.location=/home/kafka/Downloads/kafka_2.13-3.0.0/config/trusts
tore/kafka.truststore.jks

ssl.truststore.password=giuseppe

ssl.keystore.location=/home/kafka/Downloads/kafka_2.13-3.0.0/config/keystore
/kafka.keystore.jks

ssl.keystore.password=giuseppe

ssl.key.password=giuseppe

 

# ACLs

authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer

super.users=User:admin

 

#zookeeper SASL

zookeeper.set.acl=false

########### SECURITY using SCRAM-SHA-512 and SSL ###################

 

Any help is appreciated.

Thanks.

 

PhD Giuseppe Ricci 

R&D Senior Software Developer

Sysman Progetti & Servizi S.r.l.

 
<https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sys-ma
n.it%2F&data=02%7C01%7Cdaniele.verardi%40angelcompany.com%7C82656c3d0932496c
c0d408d86abc2751%7Cc187ee014e4e40c8b342f82c8d699421%7C0%7C0%7C63737670364758
9425&sdata=A1KwJWF8PrbDASmFQ92NPgMtQV2c0ciHWfYqt4PujQM%3D&reserved=0>
http://www.sys-man.it 

 

e-mail:    <ma...@sys-man.it> ricci@sys-man.it

 



-- 
Questa email è stata esaminata alla ricerca di virus da AVG.
http://www.avg.com

Re: New on security on Apache Kafka

Posted by Liam Clarke-Hutchinson <lc...@redhat.com>.

Hi Giuseppe,

That class was replaced in Kafka 2.4, I think, with
kafka.security.authorizer.AclAuthorizer.

Cheers,

Liam Clarke-Hutchinson

On Sat, Nov 13, 2021 at 1:15 AM Giuseppe Ricci Sysman <ri...@sys-man.it>
wrote:

> Hi,
>
>
>
> I'm new on security in Apache Kafka. I have Apache Kafka (v. 2.13-3.0.0)
> installed on a remote Ubuntu server. I need to secure the communications
> with producer-kafka broker and kafka broker-consumer.
>
> I try to follow the tutorial on Kafka documentation:
>
>
>
> https://kafka.apache.org/documentation/#security_overview
>
>
>
> and this tutorial which is more detailed:
>
>
>
>
> https://medium.com/egen/securing-kafka-cluster-using-sasl-acl-and-ssl-dec15b
> 439f9d
> <https://medium.com/egen/securing-kafka-cluster-using-sasl-acl-and-ssl-dec15b439f9d>
>
>
>
> but when I try to restart kafka server with the commands:
>
>
>
> export
>
> KAFKA_OPTS=-Djava.security.auth.login.config=/home/kafka/Downloads/kafka_2.1
> 3-3.0.0/config/kafka_server_jaas.conf
>
> ./bin/kafka-server-start.sh ./config/server.properties
>
>
>
> I receive the error:
>
>
>
> kafka@kafka2:~/Downloads/kafka_2.13-3.0.0$
> <mailto:kafka@kafka2:~/Downloads/kafka_2.13-3.0.0$>  sudo
> ./bin/kafka-server-start.sh ./config/server.properties
>
> [2021-11-12 11:45:46,995] INFO Registered kafka:type=kafka.Log4jController
> MBean (kafka.utils.Log4jControllerRegistration$)
>
> [2021-11-12 11:45:47,183] INFO Setting -D
> jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated
> TLS renegotiation (org.apache.zookeeper.common.X509Util)
>
> [2021-11-12 11:45:47,192] ERROR Exiting Kafka due to fatal exception
> (kafka.Kafka$)
>
> java.lang.ClassNotFoundException: kafka.security.auth.SimpleAclAuthorizer
>
>         at
>
> java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoade
> r.java:606)
>
>         at
>
> java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoa
> ders.java:168)
>
>         at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
>
>         at java.base/java.lang.Class.forName0(Native Method)
>
>         at java.base/java.lang.Class.forName(Class.java:468)
>
>         at org.apache.kafka.common.utils.Utils.loadClass(Utils.java:417)
>
>         at org.apache.kafka.common.utils.Utils.newInstance(Utils.java:406)
>
>         at
>
> kafka.security.authorizer.AuthorizerUtils$.createAuthorizer(AuthorizerUtils.
> scala:31)
>
>         at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1583)
>
>         at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1394)
>
>         at kafka.Kafka$.buildServer(Kafka.scala:67)
>
>         at kafka.Kafka$.main(Kafka.scala:87)
>
>         at kafka.Kafka.main(Kafka.scala)
>
>
>
> It seems the class SimpleAclAuthorizer is not found.
>
> Can it be to a wrong configuration?
>
>
>
> These are my SSL configs in the file server.properties:
>
>
>
> ########### SECURITY using SCRAM-SHA-512 and SSL ###################
>
>
> listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9093,SASL_SS
> L://localhost:9094
>
>
> advertised.listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9
> 093,SASL_SSL://localhost:9094
>
> security.inter.broker.protocol=SASL_SSL
>
> ssl.endpoint.identification.algorithm=
>
> ssl.client.auth=required
>
> sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512
>
> sasl.enabled.mechanisms=SCRAM-SHA-512
>
>
>
> # Broker security settings
>
>
> ssl.truststore.location=/home/kafka/Downloads/kafka_2.13-3.0.0/config/trusts
> tore/kafka.truststore.jks
>
> ssl.truststore.password=giuseppe
>
>
> ssl.keystore.location=/home/kafka/Downloads/kafka_2.13-3.0.0/config/keystore
> /kafka.keystore.jks
>
> ssl.keystore.password=giuseppe
>
> ssl.key.password=giuseppe
>
>
>
> # ACLs
>
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>
> super.users=User:admin
>
>
>
> #zookeeper SASL
>
> zookeeper.set.acl=false
>
> ########### SECURITY using SCRAM-SHA-512 and SSL ###################
>
>
>
> Any help is appreciated.
>
> Thanks.
>
>
>
> PhD Giuseppe Ricci
>
> R&D Senior Software Developer
>
> Sysman Progetti & Servizi S.r.l.
>
>
> <
> https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sys-ma
>
> n.it%2F&data=02%7C01%7Cdaniele.verardi%40angelcompany.com%7C82656c3d0932496c
>
> c0d408d86abc2751%7Cc187ee014e4e40c8b342f82c8d699421%7C0%7C0%7C63737670364758
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sys-man.it%2F&data=02%7C01%7Cdaniele.verardi%40angelcompany.com%7C82656c3d0932496cc0d408d86abc2751%7Cc187ee014e4e40c8b342f82c8d699421%7C0%7C0%7C63737670364758>
> 9425&sdata=A1KwJWF8PrbDASmFQ92NPgMtQV2c0ciHWfYqt4PujQM%3D&reserved=0>
> http://www.sys-man.it
>
>
>
> e-mail:    <ma...@sys-man.it> ricci@sys-man.it
>
>
>
>
>
> --
> Questa email è stata esaminata alla ricerca di virus da AVG.
> http://www.avg.com
>