Kafka broker Kerberos

Let’s see how we can configure Kerberos between Kafka broker and Kafka client on server side. The client side is presented here: https://mchesnavsky.tech/how-to-create-kafka-kerberos-java-consumer.

<kafka_home>/conf/server.properties

advertised.listeners=SASL_PLAINTEXT://:3090
listeners=SASL_PLAINTEXT://:3090
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=HTTP

<kafka_home>/bin/kafka-run-class.sh

Insert this:

-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/path/to/kafka_server_jaas.conf

To KAFKA_OPTS:

# Generic jvm settings you want to add
if [ -z "$KAFKA_OPTS" ]; then
  KAFKA_OPTS=""
fi

Result:

# Generic jvm settings you want to add
if [ -z "$KAFKA_OPTS" ]; then
  KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/your/path/to/kafka_server_jaas.conf"
fi

/your/path/to/kafka_server_jaas.conf

KafkaServer {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  debug=false
  keyTab="/path/to/keytab/file.keytab"
  principal="HTTP/host@REALM";
};

Kerberos between Kafka brokers is configuring with separate conf keys (which we not mentioned in this article). Above configuration is for broker-client interaction.

If you still have any questions, feel free to ask me in the comments under this article, or write me on promark33@gmail.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

                   Mark Chesnavsky. Email me or connect via LinkedIn.