You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Yolanda M. Davis (JIRA)" <ji...@apache.org> on 2017/11/22 03:21:00 UTC
[jira] [Commented] (AMBARI-22485) Allow Ambari to support
non-kerberos SASL mechanisms for Kafka
[ https://issues.apache.org/jira/browse/AMBARI-22485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16261916#comment-16261916 ]
Yolanda M. Davis commented on AMBARI-22485:
-------------------------------------------
Kafka supports *PLAINTEXT, SSL, SASL_PLAINTEXT(PLAINTEXTSASL), SASL_SSL* protocols to communicate
with Kafka brokers. Brokers can be configured with all these protocols at the same using_ "listeners" _config property.
listeners=PLAINTEXT://host.name:port1,SASL_PLAINTEXT://host.name:port2,SSL://host.name:port3,SASL_SSL://host.name:port4
*PLAINTEXT*
This is the default protocol. No special configuration is required. This support is available in Ambari.
*SSL*
This can be configured in Ambari. Required configs are documented in
https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_security/content/ch_wire-kafka.html
*SASL_PLAINTEXT(PLAINTEXTSASL)*
Under SASL protocol, Kafka supports below given SASL mechanisms
SASL/GSSAPI (Kerberos) - [This is default mechanism)
SASL/PLAIN
SASL/SCRAM-SHA-256
SASL/SCRAM-SHA-512
Above mechanisms are configured using kafka_server_jaas.conf and below configs
listeners
sasl.enabled.mechanisms
security.inter.broker.protocol
sasl.mechanism.inter.broker.protocol
Currently, on the kerberozied cluster, Ambari automates kafka_server_jaas.conf, configs for SASL/GSSAPI (Kerberos) mechanism and also pass below java system property to java runtime command.
"-Djava.security.auth.login.config=/usr/hdf/current/kafka-broker/config/kafka_jaas.conf"
For other mechanisms, we should support including kafka_server_jaas.conf in non-kerberozied environments.
Enable below props to Custom Broker Section:
sasl.enabled.mechanisms
security.inter.broker.protocol
sasl.mechanism.inter.broker.protocol
*SASL_SSL*
Above SASL mechanisms can be combined with SSL encryption.
*THINGS TO DO:*
1. Write docs for configuring SASL/PLAIN, SASL/SCRAM-SHA-256, SASL/SCRAM-SHA-512 mechanisms, jaas conf files and configs
2. Enable below props to Custom Broker Section:
sasl.enabled.mechanisms=GSSAPI
security.inter.broker.protocol=PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
3. Allow Ambari to pass kafka_server_jaas.conf on non-kerberozied cluster if listeners contains SASL_PLAINTEXT, SASL_SSL. We also need to pass kafka_client_jaas.conf files to kafka CLI scripts.
4. Resolve if any issues exist while enabling multiple listeners
> Allow Ambari to support non-kerberos SASL mechanisms for Kafka
> --------------------------------------------------------------
>
> Key: AMBARI-22485
> URL: https://issues.apache.org/jira/browse/AMBARI-22485
> Project: Ambari
> Issue Type: Bug
> Components: stacks
> Affects Versions: 2.6.0
> Reporter: Yolanda M. Davis
> Assignee: Yolanda M. Davis
> Attachments: AMBARI-22485.patch, AMBARI-22485_branch-2.6.patch
>
>
> Currently AMBARI support's SASL and SSL as the security options for Kafka.
> Within SASL Ambari only supports GSSAPI(kerberos) only. Kafka supports other mechanisms such as plain, md5 etc.. This allows users to plug in their LDAP system into Kafka.
> Also another important option is SASL_SSL.
> We need to expose necessary configs in Ambari to enable these mechanisms for users.
> Ambari should allow users to not only configure Kafka for non-kerberos based SASL mechanisms, but also ensure that jaas configuration files are written when these options are provided (as opposed to only writing those files when kerberos has been enabled)..
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)