You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@metron.apache.org by ni...@apache.org on 2017/04/10 18:54:33 UTC

incubator-metron git commit: METRON-829 Use Fastcapa with Kerberos (nickwallen) closes apache/incubator-metron#514

Repository: incubator-metron
Updated Branches:
  refs/heads/master ab80e7b18 -> 7c1a56549


METRON-829 Use Fastcapa with Kerberos (nickwallen) closes apache/incubator-metron#514


Project: http://git-wip-us.apache.org/repos/asf/incubator-metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-metron/commit/7c1a5654
Tree: http://git-wip-us.apache.org/repos/asf/incubator-metron/tree/7c1a5654
Diff: http://git-wip-us.apache.org/repos/asf/incubator-metron/diff/7c1a5654

Branch: refs/heads/master
Commit: 7c1a56549cf99b013aa2f6022121dc6ff581c0fd
Parents: ab80e7b
Author: nickwallen <ni...@nickallen.org>
Authored: Mon Apr 10 14:54:05 2017 -0400
Committer: nickallen <ni...@apache.org>
Committed: Mon Apr 10 14:54:05 2017 -0400

----------------------------------------------------------------------
 metron-sensors/fastcapa/README.md | 55 ++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/7c1a5654/metron-sensors/fastcapa/README.md
----------------------------------------------------------------------
diff --git a/metron-sensors/fastcapa/README.md b/metron-sensors/fastcapa/README.md
index 74e7809..5efdb3f 100644
--- a/metron-sensors/fastcapa/README.md
+++ b/metron-sensors/fastcapa/README.md
@@ -9,6 +9,9 @@ Fastcapa leverages the Data Plane Development Kit ([DPDK](http://dpdk.org/)).  D
 * [Requirements](#requirements)
 * [Installation](#installation)
 * [Usage](#usage)
+    * [Parameters](#parameters)
+    * [Output](#output)
+    * [Kerberos](#kerberos)
 * [How It Works](#how-it-works)
 * [Performance](#performance)
 * [FAQs](#faqs)
@@ -181,6 +184,7 @@ The probe has been tested with [Librdkafka 0.9.4](https://github.com/edenhill/li
     cd incubator-metron/metron-sensors/fastcapa
     make
     ```
+    
 
 Usage
 -----
@@ -316,6 +320,57 @@ When running the probe some basic counters are output to stdout.  Of course duri
 * `[kaf]` + `out`: A total of 7 packets has successfully reached Kafka. 
 * `[kaf]` + `queued`: There is 1 packet within the `rdkafka` queue waiting to be sent.
 
+### Kerberos
+
+The probe can be used in a Kerberized environment.  Follow these additional steps to use Fastcapa with Kerberos.  The following assumptions have been made.  These may need altered to fit your environment.
+
+* The Kafka broker is at `kafka1:6667`
+* Zookeeper is at `zookeeper1:2181`
+* The Kafka security protocol is `SASL_PLAINTEXT`
+* The keytab used is located at `/etc/security/keytabs/metron.headless.keytab`
+* The service principal is `metron@EXAMPLE.COM`
+
+1. Build Librdkafka with SASL support (` --enable-sasl`).
+    ```
+    wget https://github.com/edenhill/librdkafka/archive/v0.9.4.tar.gz  -O - | tar -xz
+    cd librdkafka-0.9.4/
+    ./configure --prefix=$RDK_PREFIX --enable-sasl
+    make 
+    make install
+    ```
+
+1. Validate Librdkafka does indeed support SASL.  Run the following command and ensure that `sasl` is returned as a built-in feature.
+    ```
+    $ examples/rdkafka_example -X builtin.features
+    builtin.features = gzip,snappy,ssl,sasl,regex
+    ```
+
+   If it is not, ensure that you have `libsasl` or `libsasl2` installed.  On CentOS, this can be installed with the following command.
+    ```
+    yum install -y cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi
+    ```
+
+1. Grant access to your Kafka topic.  In this example, it is simply named `pcap`.
+    ```
+    $KAFKA_HOME/bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer \
+      --authorizer-properties zookeeper.connect=zookeeper1:2181 \
+      --add --allow-principal User:metron --topic pcap
+    ```
+
+1. Obtain a Kerberos ticket.
+    ```
+    kinit -kt /etc/security/keytabs/metron.headless.keytab metron@EXAMPLE.COM
+    ```
+
+1. Add the following additional configuration values to your Fastcapa configuration file.
+    ```
+    security.protocol = SASL_PLAINTEXT
+    sasl.kerberos.keytab = /etc/security/keytabs/metron.headless.keytab
+    sasl.kerberos.principal = metron@EXAMPLE.COM
+    ```
+    
+1. Now run Fastcapa as you normally would.  It should have no problem landing packets in your kerberized Kafka broker.
+
 How It Works
 ------