You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Jamie Wang <ja...@opentext.com> on 2017/11/15 18:23:29 UTC
Disable anonymous access to zookeeper
Hi,
I am using Kafka 0.10.0 version. In this version, zookeeper is required. Recently we found by default zookeeper allows anonymous connect to its port and for some this seems to be a security concern. So I'd like to disable zookeeper's ability to support anonymous connect. I am wondering if I disabled this, would it impact any Kafka operations. I am only using a single node Kafka (no cluster). Would appreciate any information or pointers on how to proceed with this or any particular documentation I should read. Thanks I advance for your help.
Jamie
Re: Disable anonymous access to zookeeper
Posted by Jakub Scholz <ja...@scholz.cz>.
Hi Jamie,
You should be able to use something like this:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/kafka_server.keytab"
principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
};
or this:
Client {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="kafka"
password="123456";
};
in the Kafka JAAS config file. This defines the SASL client for connecting
to Zookeeper. You can have a look here for some more details:
http://kafka.apache.org/0100/documentation.html#security_sasl_brokernotes
Jakub
On Wed, Nov 15, 2017 at 6:23 PM, Jamie Wang <ja...@opentext.com> wrote:
> Hi,
>
> I am using Kafka 0.10.0 version. In this version, zookeeper is required.
> Recently we found by default zookeeper allows anonymous connect to its port
> and for some this seems to be a security concern. So I'd like to disable
> zookeeper's ability to support anonymous connect. I am wondering if I
> disabled this, would it impact any Kafka operations. I am only using a
> single node Kafka (no cluster). Would appreciate any information or
> pointers on how to proceed with this or any particular documentation I
> should read. Thanks I advance for your help.
>
> Jamie
>