Principal Propagation¶
Important
This is a Confluent Enterprise-only feature.
Principal propagation takes the principal from authentication mechanism configured for client to the REST proxy and propagates that same principal when making requests to the Kafka broker.
Kafka supports the SSL and SASL authentication mechanisms that are based on the client’s
security.protocol
config. Principal propagation is supported for the supported Kafka security
mechanisms by setting up the client appropriately.
For further reference on Kafka Security, please refer to Kafka Security.
SSL¶
SSL propagation is picked by the plugin when the security.protocol
is set to SSL
. For SSL
propagation to work, it is required to all load all the certificates corresponding to the
required principal in a single client KeyStore file. Once this is done, the plugin would pick
the appropriate certificate alias based on the logged on principal while making requests to Kafka
. Currently, the logged on principal must exactly match the X500 Principal of the
certificate. This is straight forward when SSL is used as the authentication mechanism.
For example, if there were two clients integrated to Kafka REST the setup could be as simple as below
- Client A authenticates to Kafka REST using its key store which contains Certificate-A
- Client B authenticates to Kafka REST using its key store which contains Certificate-B
- Kafka REST’s key store
client.ssl.keystore.location
is loaded with Certificate-A and Certificate-B. The certificate is then chosen by the plugin based on who the client is.
If the ACLs need to be setup with different principal other than the default X500 on the Kafka broker, you can provide a custom principal builder for Kafka using the broker server.properties
principal.builder.class=CustomizedPrincipalBuilderClass
SASL¶
SASL propagation is picked by the plugin when the security.protocol
is set to either of
SASL_PLAIN
or SASL_SSL
. Security plugin supports all the sasl.mechanism
supported by
Kafka clients. Just like a regular Kafka client, the plugin also expects a JAAS config file to be
configured through -Djava.security.auth.login.config
. It is required for all the principals
to be specified in the JAAS config file under the section KafkaClient
. Refer to SASL
Configuration for details about configuring SASL for Kafka client and broker.
In the JAAS config file all the principals need to be explicitly specified. The plugin supports
specifying principals using following supported mechanisms: GSSAPI, PLAIN, SCRAM-SHA-256 and
SCRAM-SHA-512. Also, the plugin ignores any configured sasl.mechanism
and picks it
automatically based on the LoginModule specified for the principal.
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/kafka_client.keytab"
principal="[email protected]";
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/etc/security/keytabs/kafka_client_2.keytab"
principal="[email protected]";
org.apache.kafka.common.security.plain.PlainLoginModule required
username="alice-plain"
password="alice-secret";
org.apache.kafka.common.security.scram.ScramLoginModule required
username="alice-scram"
password="alice-secret";
org.apache.kafka.common.security.scram.ScramLoginModule required
username="alice-scram-256"
password="alice-secret"
mechanism="SCRAM-SHA-256";
};
Below is the mapping of sasl.mechanism
for the configured login modules
Principal’s Login Module | SASL Mechanism |
---|---|
com.sun.security.auth.module.Krb5LoginModule | GSSAPI
|
org.apache.kafka.common.security.plain.PlainLoginModule | PLAIN
|
org.apache.kafka.common.security.scram.ScramLoginModule |
For SCRAM-SHA-256 set
mechanism=SCRAM-SHA-256 as an option in
ScramLoginModule
|
All the mechanisms except SCRAM-SHA-256
would be automatically detected by the plugin and
SCRAM-SHA-256 can be explicitly mentioned as an option in the ScramLoginModule.