You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Waleed Fateem <wa...@gmail.com> on 2017/05/25 00:37:34 UTC
SASL and SSL
Hello!
I'm not very clear on the behavior that we should expect when we configure
Kafka to use the protocol SASL_SSL.
Is SASL or SSL mutually exclusive here or can I authenticate with SASL and
use SSL for encryption?
If the latter is true, then is it correct to assume that encryption will
take place using SSL if a client authenticates using a Kerberos ticket so
long as they have a trust store configured?
Thank you.
Waleed
Re: SASL and SSL
Posted by Waleed Fateem <wa...@gmail.com>.
Hi Kaufman,
Thanks for the blog link. It definitely helped clear up a few things, but I
was struggling to understand the behavior I was seeing where clients were
still able to establish an SSL connection after SASL authentication even
when trust store config was not set at the client side and ssl.client.auth
was enabled.
I found KAFKA-3166 which explained why ssl.client.auth was ignored, but it
didn't explain why clients were still able to connect to the Kafka broker
over a SASL_SSL port without providing trust store config. I wrote a
detailed explanation about this in another mail I sent out ("Question with
regards to KAFKA-3166"). I would be curious to know your thoughts on it.
Regards,
Waleed Fateem
On Thu, May 25, 2017 at 8:49 AM, Kaufman Ng <ka...@confluent.io> wrote:
> Ismael also wrote this security blog post about Kafka security. Hope you
> find it useful:
> https://www.confluent.io/blog/apache-kafka-security-
> authorization-authentication-encryption/
>
>
> On Thu, May 25, 2017 at 12:04 AM, Waleed Fateem <wa...@gmail.com>
> wrote:
>
> > For completion, I saw Ismael Juma post an answer which contains the
> > information I was looking for:
> >
> > http://comments.gmane.org/gmane.comp.apache.kafka.user/15140
> >
> > SASL_SSL -> authentication using SASL AND connection is encrypted using
> > SSL.
> >
> > On Wed, May 24, 2017 at 7:37 PM, Waleed Fateem <wa...@gmail.com>
> > wrote:
> >
> > > Hello!
> > >
> > > I'm not very clear on the behavior that we should expect when we
> > configure
> > > Kafka to use the protocol SASL_SSL.
> > >
> > > Is SASL or SSL mutually exclusive here or can I authenticate with SASL
> > and
> > > use SSL for encryption?
> > >
> > > If the latter is true, then is it correct to assume that encryption
> will
> > > take place using SSL if a client authenticates using a Kerberos ticket
> so
> > > long as they have a trust store configured?
> > >
> > > Thank you.
> > >
> > > Waleed
> > >
> >
>
>
>
> --
> Kaufman Ng
> +1 646 961 8063
> Solutions Architect | Confluent | www.confluent.io
>
Re: SASL and SSL
Posted by Kaufman Ng <ka...@confluent.io>.
Ismael also wrote this security blog post about Kafka security. Hope you
find it useful:
https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/
On Thu, May 25, 2017 at 12:04 AM, Waleed Fateem <wa...@gmail.com>
wrote:
> For completion, I saw Ismael Juma post an answer which contains the
> information I was looking for:
>
> http://comments.gmane.org/gmane.comp.apache.kafka.user/15140
>
> SASL_SSL -> authentication using SASL AND connection is encrypted using
> SSL.
>
> On Wed, May 24, 2017 at 7:37 PM, Waleed Fateem <wa...@gmail.com>
> wrote:
>
> > Hello!
> >
> > I'm not very clear on the behavior that we should expect when we
> configure
> > Kafka to use the protocol SASL_SSL.
> >
> > Is SASL or SSL mutually exclusive here or can I authenticate with SASL
> and
> > use SSL for encryption?
> >
> > If the latter is true, then is it correct to assume that encryption will
> > take place using SSL if a client authenticates using a Kerberos ticket so
> > long as they have a trust store configured?
> >
> > Thank you.
> >
> > Waleed
> >
>
--
Kaufman Ng
+1 646 961 8063
Solutions Architect | Confluent | www.confluent.io
Re: SASL and SSL
Posted by Waleed Fateem <wa...@gmail.com>.
For completion, I saw Ismael Juma post an answer which contains the
information I was looking for:
http://comments.gmane.org/gmane.comp.apache.kafka.user/15140
SASL_SSL -> authentication using SASL AND connection is encrypted using
SSL.
On Wed, May 24, 2017 at 7:37 PM, Waleed Fateem <wa...@gmail.com>
wrote:
> Hello!
>
> I'm not very clear on the behavior that we should expect when we configure
> Kafka to use the protocol SASL_SSL.
>
> Is SASL or SSL mutually exclusive here or can I authenticate with SASL and
> use SSL for encryption?
>
> If the latter is true, then is it correct to assume that encryption will
> take place using SSL if a client authenticates using a Kerberos ticket so
> long as they have a trust store configured?
>
> Thank you.
>
> Waleed
>