Kafka security
You can improve the Kafka cluster security by having Kafka authenticate connections to brokers from client using either SSL or SASL.
SSL + Kerberos for Kafka clients
Prerequisite: Kafka brokers are configured with SSL and Kerberos. Refer to your Hadoop providers documentation for configuring SSL and Kerberos for Kafka brokers.
SSL+Kerberos is supported by new Kafka consumers and producers. The configuration is the same for consumers and producers. Replace items in red with values specific/relevant to your environment.
For single Kafka clients
Create a file named
consumerConfig.properties. Add the following properties and copy/move the file/usr/local/unravel/etc. You can locate your SSL + Kerberos configuration.security.protocol=SASL_SSL sasl.mechanism=GSSAPI sasl.kerberos.service.name=kafka ssl.enabled.protocols=TLSvl.2,TLSvl.l,TLSvl ssl.truststore.location=/usr/java/latest/jre/lib/security/jssecacerts ssl.truststore.password=changeit ssl.keystore.location=/opt/cloudera/security/pki/keystore.jks ssl.keystore.password=changeit sasl.jaas.config=\ com.sun.security.auth.module.Krb5LoginModule required \ useKeyTab=true \ useTicketCache=true \ keyTab="/opt/unravel/kafka.keytab" \ principal="kafka/kafkavm.unraveldata.com@UNRAVELDATA.COM";
Note
Only if Kerberos is enabled, the
security.protocolisSASL_PLAINTEXTand the SSL properties can be removed.Copy/move
consumerConfig.propertiesto/usr/local/unravel/etc.Edit
/usr/local/unravel/unravel.properties. Search for com.unraveldata.ext.kafka.clusters.com.unraveldata.ext.kafka.clusters=
ClusterNameAdd the following property using the
ClusterNamefrom above.com.unraveldata.ext.kafka.
ClusterName.consumer.config=/usr/local/unravel/etc/consumerConfig.propertiesRestart the Kafka monitor daemon
unravel_km.service unravel_km restart
For multiple Kafka clients
Warning
Each cluster must have a separate consumerConfig.properties files.
Open
/usr/local/unravel/unravel.properties. Search for com.unraveldata.ext.kafka.clusters.The property should be defined with a comma separated list. If there is only one cluster name see above.
com.unraveldata.ext.kafka.clusters=
ClusterName1,ClusterName2,ClusterName3Create a file named
consumerConfigClusterName.propertiesfor each cluster.security.protocol=SASL_SSL sasl.mechanism=GSSAPI sasl.kerberos.service.name=kafka ssl.enabled.protocols=TLSvl.2,TLSvl.l,TLSvl ssl.truststore.location=/usr/java/latest/jre/lib/security/jssecacerts ssl.truststore.password=changeit ssl.keystore.location=/opt/cloudera/security/pki/keystore.jks ssl.keystore.password=changeit sasl.jaas.config=\ com.sun.security.auth.module.Krb5LoginModule required \ useKeyTab=true \ useTicketCache=true \ keyTab="/opt/unravel/kafka.keytab" \ principal="kafka/kafkavm. unraveldata.com@UNRAVELDATA.COM";
Note
Only if Kerberos is enabled, the
security.protocolisSASL_PLAINTEXTand the SSL properties can be removed.Copy/move each file to
/usr/local/unravel/etc.Edit
/usr/local/unravel/unravel.properties. For each cluster add the following property.com.unraveldata.ext.kafka.ClusterName.consumer.config=/usr/local/unravel/etc/consumerConfigClusterName.properties
Restart the Kafka monitor daemon
unravel_km.service unravel_km restart
Kafka authorizations
Unravel consumes messages to topic __consumer_offsets using consumer group UnravelOffsetConsumer.
The following privilege must be granted using sentry:
HOST=*->CONSUMERGROUP=UnravelOffsetConsumer→action=read HOST=*->CONSUMERGROUP=UnravelOffsetConsumer→action=write HOST=*->CONSUMERGROUP=UnravelOffsetConsumer→action=describe HOST=*->TOPIC=__consumer_offsets→action=read HOST=*->TOPIC=__consumer_offsets→action=write HOST=*->TOPIC=__consumer_offsets->action=describe
For further details see Using Kafka with Sentry Authorization in the Cloudera Distribution of Apache Kafka documentation.
The following privilege must be granted using Ranger for the topic __consumer_offsets.
Publish Consume Describe
For further details, see Security - Create a Kafka Policy in the HDP Security Guide.
References
For further information see Apache Kafka documentation chapter # 7 Security.