Kafka>> kafka-plain-saslserver-2-ad>> 返回
项目作者: navikt

项目描述 :
Enhancing Kafka security, PlainSaslServer with LDAP binding and SimpleAclAuthorizer with LDAP group membership
高级语言: Kotlin
项目地址: git://github.com/navikt/kafka-plain-saslserver-2-ad.git
创建时间: 2018-02-08T20:28:18Z
项目社区:https://github.com/navikt/kafka-plain-saslserver-2-ad
开源协议:MIT License
下载


kafka-plain-saslserver-2-ad

[!WARNING]
This project is not used by NAV anymore and is thus not maintained. Feel free to create a fork.

Build Status
Docker Build Status
Docker Automated build

Enhancing kafka 2.x with

  • customized SimpleLDAPAuthentication using LDAPS simple bind for authentication
  • customized SimpleACLAuthorizer using LDAPS compare-matched for group membership verification

Thus, moving authentication from user and passwords in JAAS context file on kafka brokers to LDAP server

By defining Read/Write allowance with LDAP groups, authorization is moved from
Zookeeper Access Control Lists to group membership verification.

Binding and group membership information is cached (limited lifetime after write),
giving minor performance penalty and reduced LDAPS traffic.

Tools

  • Kotlin
  • Gradle build tool
  • Spek test framework

Components

  1. Unboundid LDAP SDK for LDAPS interaction
  2. Caffeine Cache
  3. YAML Configuration for LDAP baseDN for users, groups and more. See src/test/resources/ldapconfig.yaml for details

Observe that the directory hosting yaml configuration file must be in CLASSPATH.

Kafka configuration examples

JAAS context file on Kafka broker use the standard class for plain login module during authentication

  1. KafkaServer{
  2. org.apache.kafka.common.security.plain.PlainLoginModule required
  3. username="x"
  4. password="y";
  5. };

Example of Kafka server.properties for using the customized classes for authentication and authorization. The example
focus on minimum configuration only (sasl plaintext). A production environment utilize plain with TLS.

  1. ...
  2. listeners=SASL_PLAINTEXT://localhost:9092
  3. security.inter.broker.protocol=SASL_PLAINTEXT
  4. sasl.mechanism.inter.broker.protocol=PLAIN
  5. sasl.enabled.mechanisms=PLAIN 
  7. listener.name.sasl_plaintext.plain.sasl.server.callback.handler.class=no.nav.common.security.authentication.SimpleLDAPAuthentication
  8. authorizer.class.name=no.nav.common.security.authorization.SimpleLDAPAuthorizer
  9. ...

Using the docker image

The docker image can’t currently be used standalone, the Dockerfile is supposed to be extended by adding the config file
/etc/kafka/ldapconfig.yaml and the jaas configuration /etc/kafka/kafka_server_jaas.conf, examples of these
config files can be found in NAVs kafka docker compose project

Testing

Use of Unboundid in-memory LDAP server for all test cases.

Tested on confluent.io version 5.x (related to apache kafka 2.x)

See Confluent Open Source distribution in order to test locally.

The related Wiki has a detailed guide for local testing.

Build

  1. ./gradlew clean build
  2. ./gradlew shadowJar
  4. The result is kafka-plain-salserver-2-ad-2.0_<version>.jar hosting authentication and authorization classes.

Observe that the directory hosting the given JAR file must be in CLASSPATH.