Repository: metron Updated Branches: refs/heads/master f127c6dcf -> 9dc8c3a70
METRON-819: Document kafka console producer parameter for sensors with kerberos (mmiklavc) closes apache/metron#507 Project: http://git-wip-us.apache.org/repos/asf/metron/repo Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/9dc8c3a7 Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/9dc8c3a7 Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/9dc8c3a7 Branch: refs/heads/master Commit: 9dc8c3a707bbdd4ac2070d5e29a558abde63f360 Parents: f127c6d Author: mmiklavc <[email protected]> Authored: Wed May 31 15:31:51 2017 -0600 Committer: Michael Miklavcic <[email protected]> Committed: Wed May 31 15:31:51 2017 -0600 ---------------------------------------------------------------------- metron-deployment/Kerberos-manual-setup.md | 30 ++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/metron/blob/9dc8c3a7/metron-deployment/Kerberos-manual-setup.md ---------------------------------------------------------------------- diff --git a/metron-deployment/Kerberos-manual-setup.md b/metron-deployment/Kerberos-manual-setup.md index 76d3701..1540231 100644 --- a/metron-deployment/Kerberos-manual-setup.md +++ b/metron-deployment/Kerberos-manual-setup.md @@ -17,7 +17,7 @@ This document provides instructions for kerberizing Metron's Vagrant-based devel Setup ----- -1. Deploy a Vagrant development environment; either [Full Dev](full-dev-platform) or [Quick Dev](quick-dev-platform). +1. Deploy a Vagrant development environment; either [Full Dev](vagrant/full-dev-platform/README.md) or [Quick Dev](vagrant/quick-dev-platform/README.md). 1. Export the following environment variables. These need to be set for the remainder of the instructions. Replace `node1` with the appropriate hosts, if you are running Metron anywhere other than Vagrant. @@ -424,6 +424,34 @@ KVNO Timestamp Principal ### Kafka with Kerberos enabled +#### Running Sensors + +A couple steps are required to produce data to a Kerberized Kafka topic. On the host you'll be setting up your sensor(s), switch to the metron user and create a client_jaas.conf file in the metron home directory if one doesn't already exist. It should be owned by metron:metron and +contain at least the following stanza that tells the Kafka client how to interact with Kerberos: +``` +su - metron +cat ${METRON_HOME}/client_jaas.conf +... +KafkaClient { + com.sun.security.auth.module.Krb5LoginModule required + useKeyTab=true + keyTab="/etc/security/keytabs/metron.headless.keytab" + storeKey=true + useTicketCache=false + serviceName="kafka" + principal="[email protected]"; +}; +``` + +You'll also need to set KAFKA_OPTS to tell the Kafka client how to interact with Kerberos. +``` +export KAFKA_OPTS="-Djava.security.auth.login.config=${METRON_HOME}/client_jaas.conf" +``` + +For sensors that leverage the Kafka console producer to pipe data into Metron, e.g. Snort and Yaf, you will need to modify the corresponding sensor shell scripts or config to append the SASL security protocol property. `--security-protocol SASL_PLAINTEXT`. Be sure to kinit with the metron user's keytab before executing the script that starts the sensor. + +More notes can be found in [metron/metron-sensors/README.md](../metron-sensors/README.md) + #### Write data to a topic with SASL ```
