Repository: incubator-metron Updated Branches: refs/heads/master ab80e7b18 -> 7c1a56549
METRON-829 Use Fastcapa with Kerberos (nickwallen) closes apache/incubator-metron#514 Project: http://git-wip-us.apache.org/repos/asf/incubator-metron/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-metron/commit/7c1a5654 Tree: http://git-wip-us.apache.org/repos/asf/incubator-metron/tree/7c1a5654 Diff: http://git-wip-us.apache.org/repos/asf/incubator-metron/diff/7c1a5654 Branch: refs/heads/master Commit: 7c1a56549cf99b013aa2f6022121dc6ff581c0fd Parents: ab80e7b Author: nickwallen <n...@nickallen.org> Authored: Mon Apr 10 14:54:05 2017 -0400 Committer: nickallen <nickal...@apache.org> Committed: Mon Apr 10 14:54:05 2017 -0400 ---------------------------------------------------------------------- metron-sensors/fastcapa/README.md | 55 ++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/7c1a5654/metron-sensors/fastcapa/README.md ---------------------------------------------------------------------- diff --git a/metron-sensors/fastcapa/README.md b/metron-sensors/fastcapa/README.md index 74e7809..5efdb3f 100644 --- a/metron-sensors/fastcapa/README.md +++ b/metron-sensors/fastcapa/README.md @@ -9,6 +9,9 @@ Fastcapa leverages the Data Plane Development Kit ([DPDK](http://dpdk.org/)). D * [Requirements](#requirements) * [Installation](#installation) * [Usage](#usage) + * [Parameters](#parameters) + * [Output](#output) + * [Kerberos](#kerberos) * [How It Works](#how-it-works) * [Performance](#performance) * [FAQs](#faqs) @@ -181,6 +184,7 @@ The probe has been tested with [Librdkafka 0.9.4](https://github.com/edenhill/li cd incubator-metron/metron-sensors/fastcapa make ``` + Usage ----- @@ -316,6 +320,57 @@ When running the probe some basic counters are output to stdout. Of course duri * `[kaf]` + `out`: A total of 7 packets has successfully reached Kafka. * `[kaf]` + `queued`: There is 1 packet within the `rdkafka` queue waiting to be sent. +### Kerberos + +The probe can be used in a Kerberized environment. Follow these additional steps to use Fastcapa with Kerberos. The following assumptions have been made. These may need altered to fit your environment. + +* The Kafka broker is at `kafka1:6667` +* Zookeeper is at `zookeeper1:2181` +* The Kafka security protocol is `SASL_PLAINTEXT` +* The keytab used is located at `/etc/security/keytabs/metron.headless.keytab` +* The service principal is `met...@example.com` + +1. Build Librdkafka with SASL support (` --enable-sasl`). + ``` + wget https://github.com/edenhill/librdkafka/archive/v0.9.4.tar.gz -O - | tar -xz + cd librdkafka-0.9.4/ + ./configure --prefix=$RDK_PREFIX --enable-sasl + make + make install + ``` + +1. Validate Librdkafka does indeed support SASL. Run the following command and ensure that `sasl` is returned as a built-in feature. + ``` + $ examples/rdkafka_example -X builtin.features + builtin.features = gzip,snappy,ssl,sasl,regex + ``` + + If it is not, ensure that you have `libsasl` or `libsasl2` installed. On CentOS, this can be installed with the following command. + ``` + yum install -y cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi + ``` + +1. Grant access to your Kafka topic. In this example, it is simply named `pcap`. + ``` + $KAFKA_HOME/bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer \ + --authorizer-properties zookeeper.connect=zookeeper1:2181 \ + --add --allow-principal User:metron --topic pcap + ``` + +1. Obtain a Kerberos ticket. + ``` + kinit -kt /etc/security/keytabs/metron.headless.keytab met...@example.com + ``` + +1. Add the following additional configuration values to your Fastcapa configuration file. + ``` + security.protocol = SASL_PLAINTEXT + sasl.kerberos.keytab = /etc/security/keytabs/metron.headless.keytab + sasl.kerberos.principal = met...@example.com + ``` + +1. Now run Fastcapa as you normally would. It should have no problem landing packets in your kerberized Kafka broker. + How It Works ------
