You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Giuseppe Ricci Sysman <ri...@sys-man.it> on 2021/11/12 12:07:55 UTC
New on security on Apache Kafka
Hi,
I'm new on security in Apache Kafka. I have Apache Kafka (v. 2.13-3.0.0)
installed on a remote Ubuntu server. I need to secure the communications
with producer-kafka broker and kafka broker-consumer.
I try to follow the tutorial on Kafka documentation:
https://kafka.apache.org/documentation/#security_overview
and this tutorial which is more detailed:
https://medium.com/egen/securing-kafka-cluster-using-sasl-acl-and-ssl-dec15b
439f9d
but when I try to restart kafka server with the commands:
export
KAFKA_OPTS=-Djava.security.auth.login.config=/home/kafka/Downloads/kafka_2.1
3-3.0.0/config/kafka_server_jaas.conf
./bin/kafka-server-start.sh ./config/server.properties
I receive the error:
kafka@kafka2:~/Downloads/kafka_2.13-3.0.0$
<mailto:kafka@kafka2:~/Downloads/kafka_2.13-3.0.0$> sudo
./bin/kafka-server-start.sh ./config/server.properties
[2021-11-12 11:45:46,995] INFO Registered kafka:type=kafka.Log4jController
MBean (kafka.utils.Log4jControllerRegistration$)
[2021-11-12 11:45:47,183] INFO Setting -D
jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated
TLS renegotiation (org.apache.zookeeper.common.X509Util)
[2021-11-12 11:45:47,192] ERROR Exiting Kafka due to fatal exception
(kafka.Kafka$)
java.lang.ClassNotFoundException: kafka.security.auth.SimpleAclAuthorizer
at
java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoade
r.java:606)
at
java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoa
ders.java:168)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:468)
at org.apache.kafka.common.utils.Utils.loadClass(Utils.java:417)
at org.apache.kafka.common.utils.Utils.newInstance(Utils.java:406)
at
kafka.security.authorizer.AuthorizerUtils$.createAuthorizer(AuthorizerUtils.
scala:31)
at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1583)
at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1394)
at kafka.Kafka$.buildServer(Kafka.scala:67)
at kafka.Kafka$.main(Kafka.scala:87)
at kafka.Kafka.main(Kafka.scala)
It seems the class SimpleAclAuthorizer is not found.
Can it be to a wrong configuration?
These are my SSL configs in the file server.properties:
########### SECURITY using SCRAM-SHA-512 and SSL ###################
listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9093,SASL_SS
L://localhost:9094
advertised.listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9
093,SASL_SSL://localhost:9094
security.inter.broker.protocol=SASL_SSL
ssl.endpoint.identification.algorithm=
ssl.client.auth=required
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512
sasl.enabled.mechanisms=SCRAM-SHA-512
# Broker security settings
ssl.truststore.location=/home/kafka/Downloads/kafka_2.13-3.0.0/config/trusts
tore/kafka.truststore.jks
ssl.truststore.password=giuseppe
ssl.keystore.location=/home/kafka/Downloads/kafka_2.13-3.0.0/config/keystore
/kafka.keystore.jks
ssl.keystore.password=giuseppe
ssl.key.password=giuseppe
# ACLs
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:admin
#zookeeper SASL
zookeeper.set.acl=false
########### SECURITY using SCRAM-SHA-512 and SSL ###################
Any help is appreciated.
Thanks.
PhD Giuseppe Ricci
R&D Senior Software Developer
Sysman Progetti & Servizi S.r.l.
<https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sys-ma
n.it%2F&data=02%7C01%7Cdaniele.verardi%40angelcompany.com%7C82656c3d0932496c
c0d408d86abc2751%7Cc187ee014e4e40c8b342f82c8d699421%7C0%7C0%7C63737670364758
9425&sdata=A1KwJWF8PrbDASmFQ92NPgMtQV2c0ciHWfYqt4PujQM%3D&reserved=0>
http://www.sys-man.it
e-mail: <ma...@sys-man.it> ricci@sys-man.it
--
Questa email è stata esaminata alla ricerca di virus da AVG.
http://www.avg.com
Re: New on security on Apache Kafka
Posted by Liam Clarke-Hutchinson <lc...@redhat.com>.
Hi Giuseppe,
That class was replaced in Kafka 2.4, I think, with
kafka.security.authorizer.AclAuthorizer.
Cheers,
Liam Clarke-Hutchinson
On Sat, Nov 13, 2021 at 1:15 AM Giuseppe Ricci Sysman <ri...@sys-man.it>
wrote:
> Hi,
>
>
>
> I'm new on security in Apache Kafka. I have Apache Kafka (v. 2.13-3.0.0)
> installed on a remote Ubuntu server. I need to secure the communications
> with producer-kafka broker and kafka broker-consumer.
>
> I try to follow the tutorial on Kafka documentation:
>
>
>
> https://kafka.apache.org/documentation/#security_overview
>
>
>
> and this tutorial which is more detailed:
>
>
>
>
> https://medium.com/egen/securing-kafka-cluster-using-sasl-acl-and-ssl-dec15b
> 439f9d
> <https://medium.com/egen/securing-kafka-cluster-using-sasl-acl-and-ssl-dec15b439f9d>
>
>
>
> but when I try to restart kafka server with the commands:
>
>
>
> export
>
> KAFKA_OPTS=-Djava.security.auth.login.config=/home/kafka/Downloads/kafka_2.1
> 3-3.0.0/config/kafka_server_jaas.conf
>
> ./bin/kafka-server-start.sh ./config/server.properties
>
>
>
> I receive the error:
>
>
>
> kafka@kafka2:~/Downloads/kafka_2.13-3.0.0$
> <mailto:kafka@kafka2:~/Downloads/kafka_2.13-3.0.0$> sudo
> ./bin/kafka-server-start.sh ./config/server.properties
>
> [2021-11-12 11:45:46,995] INFO Registered kafka:type=kafka.Log4jController
> MBean (kafka.utils.Log4jControllerRegistration$)
>
> [2021-11-12 11:45:47,183] INFO Setting -D
> jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated
> TLS renegotiation (org.apache.zookeeper.common.X509Util)
>
> [2021-11-12 11:45:47,192] ERROR Exiting Kafka due to fatal exception
> (kafka.Kafka$)
>
> java.lang.ClassNotFoundException: kafka.security.auth.SimpleAclAuthorizer
>
> at
>
> java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoade
> r.java:606)
>
> at
>
> java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoa
> ders.java:168)
>
> at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
>
> at java.base/java.lang.Class.forName0(Native Method)
>
> at java.base/java.lang.Class.forName(Class.java:468)
>
> at org.apache.kafka.common.utils.Utils.loadClass(Utils.java:417)
>
> at org.apache.kafka.common.utils.Utils.newInstance(Utils.java:406)
>
> at
>
> kafka.security.authorizer.AuthorizerUtils$.createAuthorizer(AuthorizerUtils.
> scala:31)
>
> at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1583)
>
> at kafka.server.KafkaConfig.<init>(KafkaConfig.scala:1394)
>
> at kafka.Kafka$.buildServer(Kafka.scala:67)
>
> at kafka.Kafka$.main(Kafka.scala:87)
>
> at kafka.Kafka.main(Kafka.scala)
>
>
>
> It seems the class SimpleAclAuthorizer is not found.
>
> Can it be to a wrong configuration?
>
>
>
> These are my SSL configs in the file server.properties:
>
>
>
> ########### SECURITY using SCRAM-SHA-512 and SSL ###################
>
>
> listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9093,SASL_SS
> L://localhost:9094
>
>
> advertised.listeners=PLAINTEXT://localhost:9092,SASL_PLAINTEXT://localhost:9
> 093,SASL_SSL://localhost:9094
>
> security.inter.broker.protocol=SASL_SSL
>
> ssl.endpoint.identification.algorithm=
>
> ssl.client.auth=required
>
> sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512
>
> sasl.enabled.mechanisms=SCRAM-SHA-512
>
>
>
> # Broker security settings
>
>
> ssl.truststore.location=/home/kafka/Downloads/kafka_2.13-3.0.0/config/trusts
> tore/kafka.truststore.jks
>
> ssl.truststore.password=giuseppe
>
>
> ssl.keystore.location=/home/kafka/Downloads/kafka_2.13-3.0.0/config/keystore
> /kafka.keystore.jks
>
> ssl.keystore.password=giuseppe
>
> ssl.key.password=giuseppe
>
>
>
> # ACLs
>
> authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
>
> super.users=User:admin
>
>
>
> #zookeeper SASL
>
> zookeeper.set.acl=false
>
> ########### SECURITY using SCRAM-SHA-512 and SSL ###################
>
>
>
> Any help is appreciated.
>
> Thanks.
>
>
>
> PhD Giuseppe Ricci
>
> R&D Senior Software Developer
>
> Sysman Progetti & Servizi S.r.l.
>
>
> <
> https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sys-ma
>
> n.it%2F&data=02%7C01%7Cdaniele.verardi%40angelcompany.com%7C82656c3d0932496c
>
> c0d408d86abc2751%7Cc187ee014e4e40c8b342f82c8d699421%7C0%7C0%7C63737670364758
> <https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sys-man.it%2F&data=02%7C01%7Cdaniele.verardi%40angelcompany.com%7C82656c3d0932496cc0d408d86abc2751%7Cc187ee014e4e40c8b342f82c8d699421%7C0%7C0%7C63737670364758>
> 9425&sdata=A1KwJWF8PrbDASmFQ92NPgMtQV2c0ciHWfYqt4PujQM%3D&reserved=0>
> http://www.sys-man.it
>
>
>
> e-mail: <ma...@sys-man.it> ricci@sys-man.it
>
>
>
>
>
> --
> Questa email è stata esaminata alla ricerca di virus da AVG.
> http://www.avg.com
>