You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by sudeep mishra <su...@gmail.com> on 2016/03/04 07:40:19 UTC

Fwd: Kafka Security

Hi,

I am exploring on the Security capabilities of Kafka 0.9.1 but unable to
use it successfully.

I have set below configuration in my server.properties

*allow.everyone.if.no.acl.found=false*
*super.users=User:root;User:kafka*

I created an ACL using below command

*./kafka-acls.sh --authorizer-properties zookeeper.connect=<zk_host:port>
--add --allow-principal User:imit --allow-host <allowed_host> --topic imit
--producer --consumer --group imit-consumer-group*

and I see below response for it

*Current ACLs for resource `Topic:imit`:*
*        User:imit has Allow permission for operations: Describe from
hosts: <allowed_host>*
*        User:imit has Allow permission for operations: Read from hosts:
<allowed_host>*
*        User:imit has Allow permission for operations: Write from hosts:
<allowed_host>*

*Note:* Values mentioned in <> are replaced with some dummy values in the
question and used correctly while creating the ACL

I have following observations:

a) Though I define the rule for imit topic to access for a particular using
from a given host yet I can write to the topic from any host using any user
account.

b) I am unable to read the messages from topic from any host or any user
account (even using the one for which I have defined the rules).

I am running Kafka on RHEL 6.7 and all the users are local.

Appreciate if someone can guide if I am missing any configuration
parameters or commands to manage authorization or if Kafka is behaving in a
weird way.

Also where can I getting authorization related logs in Kafka?


Thanks & Regards,

Sudeep

Re: Kafka Security

Posted by Ismael Juma <is...@juma.me.uk>.

Hi Martin,

I suggest reading
http://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption
for an end to end example of how to secure Kafka.

Ismael

On Fri, Mar 4, 2016 at 12:38 PM, Martin Gainty <mg...@hotmail.com> wrote:

> Although authors suggest using existing Cloud security products such as
> Sentry (Cloudera) or Argus (Hortonworks) once Zookeeper adopted SASL
> integration ..kafka folk agreed SASL would be the best way to implement
> securing the following Kafka features :
>
> Authentication via SSL & Kerberos through SASLAuditingAuthorization
> through Unix-like users, permissions and ACLsEncryption over the wire
> (optional)It should be easy to enforce the use of security at a given site
> https://cwiki.apache.org/confluence/display/KAFKA/Security
> Unfortunately kafka-sasl authors suggested implementing SSO via PKCS7 is
> currently out-of-scope for pre 1.0 release
> Imagine working at a Global Bank where you need to sign on to 2+ different
> security realms to complete a transaction
> this may be too arduous for people in the real world who have been using
> one single-sign-on for years
> Unfortunately KAFKA-SASL-INTEGRATION project is still at 0.9 so current
> implementation is very beta (not at 1.0)
> https://cwiki.apache.org/confluence/display/KAFKA/Index
> CONCLUSION:If your client does not have Cloudera(Sentry) or
> Hortonworks(Argus) and desires the security features of
> SSLAuthentication/KerberosAuthentication, Auditing, Unix-Authorization,
> Wire-Encryption then KAFKA-SASL-Integration is the only suggested option
> anyone have a suggestion how to secure kafka?
>
> Martin
> ______________________________________________
>
>
>
> > Date: Fri, 4 Mar 2016 12:10:19 +0530
> > Subject: Fwd: Kafka Security
> > From: sudeepshekharm@gmail.com
> > To: users@kafka.apache.org
> >
> > Hi,
> >
> > I am exploring on the Security capabilities of Kafka 0.9.1 but unable to
> > use it successfully.
> >
> > I have set below configuration in my server.properties
> >
> > *allow.everyone.if.no.acl.found=false*
> > *super.users=User:root;User:kafka*
> >
> > I created an ACL using below command
> >
> > *./kafka-acls.sh --authorizer-properties zookeeper.connect=<zk_host:port>
> > --add --allow-principal User:imit --allow-host <allowed_host> --topic
> imit
> > --producer --consumer --group imit-consumer-group*
> >
> > and I see below response for it
> >
> > *Current ACLs for resource `Topic:imit`:*
> > *        User:imit has Allow permission for operations: Describe from
> > hosts: <allowed_host>*
> > *        User:imit has Allow permission for operations: Read from hosts:
> > <allowed_host>*
> > *        User:imit has Allow permission for operations: Write from hosts:
> > <allowed_host>*
> >
> > *Note:* Values mentioned in <> are replaced with some dummy values in the
> > question and used correctly while creating the ACL
> >
> > I have following observations:
> >
> > a) Though I define the rule for imit topic to access for a particular
> using
> > from a given host yet I can write to the topic from any host using any
> user
> > account.
> >
> > b) I am unable to read the messages from topic from any host or any user
> > account (even using the one for which I have defined the rules).
> >
> > I am running Kafka on RHEL 6.7 and all the users are local.
> >
> > Appreciate if someone can guide if I am missing any configuration
> > parameters or commands to manage authorization or if Kafka is behaving
> in a
> > weird way.
> >
> > Also where can I getting authorization related logs in Kafka?
> >
> >
> > Thanks & Regards,
> >
> > Sudeep
>
>

RE: Kafka Security

Posted by Martin Gainty <mg...@hotmail.com>.

Although authors suggest using existing Cloud security products such as Sentry (Cloudera) or Argus (Hortonworks) once Zookeeper adopted SASL integration ..kafka folk agreed SASL would be the best way to implement securing the following Kafka features :

Authentication via SSL & Kerberos through SASLAuditingAuthorization through Unix-like users, permissions and ACLsEncryption over the wire (optional)It should be easy to enforce the use of security at a given site
https://cwiki.apache.org/confluence/display/KAFKA/Security
Unfortunately kafka-sasl authors suggested implementing SSO via PKCS7 is currently out-of-scope for pre 1.0 release
Imagine working at a Global Bank where you need to sign on to 2+ different security realms to complete a transaction
this may be too arduous for people in the real world who have been using one single-sign-on for years
Unfortunately KAFKA-SASL-INTEGRATION project is still at 0.9 so current implementation is very beta (not at 1.0)https://cwiki.apache.org/confluence/display/KAFKA/Index
CONCLUSION:If your client does not have Cloudera(Sentry) or Hortonworks(Argus) and desires the security features of SSLAuthentication/KerberosAuthentication, Auditing, Unix-Authorization, Wire-Encryption then KAFKA-SASL-Integration is the only suggested option 
anyone have a suggestion how to secure kafka?

Martin 
______________________________________________ 
                                                                                                  


> Date: Fri, 4 Mar 2016 12:10:19 +0530
> Subject: Fwd: Kafka Security
> From: sudeepshekharm@gmail.com
> To: users@kafka.apache.org
> 
> Hi,
> 
> I am exploring on the Security capabilities of Kafka 0.9.1 but unable to
> use it successfully.
> 
> I have set below configuration in my server.properties
> 
> *allow.everyone.if.no.acl.found=false*
> *super.users=User:root;User:kafka*
> 
> I created an ACL using below command
> 
> *./kafka-acls.sh --authorizer-properties zookeeper.connect=<zk_host:port>
> --add --allow-principal User:imit --allow-host <allowed_host> --topic imit
> --producer --consumer --group imit-consumer-group*
> 
> and I see below response for it
> 
> *Current ACLs for resource `Topic:imit`:*
> *        User:imit has Allow permission for operations: Describe from
> hosts: <allowed_host>*
> *        User:imit has Allow permission for operations: Read from hosts:
> <allowed_host>*
> *        User:imit has Allow permission for operations: Write from hosts:
> <allowed_host>*
> 
> *Note:* Values mentioned in <> are replaced with some dummy values in the
> question and used correctly while creating the ACL
> 
> I have following observations:
> 
> a) Though I define the rule for imit topic to access for a particular using
> from a given host yet I can write to the topic from any host using any user
> account.
> 
> b) I am unable to read the messages from topic from any host or any user
> account (even using the one for which I have defined the rules).
> 
> I am running Kafka on RHEL 6.7 and all the users are local.
> 
> Appreciate if someone can guide if I am missing any configuration
> parameters or commands to manage authorization or if Kafka is behaving in a
> weird way.
> 
> Also where can I getting authorization related logs in Kafka?
> 
> 
> Thanks & Regards,
> 
> Sudeep