[ https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14196422#comment-14196422 ]
Sriharsha Chintalapani commented on KAFKA-1686: ----------------------------------------------- [~junrao] I was thinking of using jaas.conf which is what we used for storm http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html. It allows the service to renewTGT. Kerberos tickets can be valid for more than 10hrs it depends the config /etc/krb5.conf. We can have renewTicket thread that checks for the current ticket_lifetime and renew_lifetime and renews if the current ticket lifetime expired. Each broker will run with its own keytab kafkabroker/_HOST@REALM. If you are using service keytab they should've grant all permissions in permissions manager. This could be as simple as setting a config option in permission manager where you can whitelist a principal as admin and use that principal for brokers. For example: kafka.admins: "kafkabroker" and run all the brokers with kafkabroker/_HOST@REALM. User needs to be careful in setting keytab permissions so that service keytabs cannot be accessed by regular user to impersonate a kafkabroker and gain all access. > Implement SASL/Kerberos > ----------------------- > > Key: KAFKA-1686 > URL: https://issues.apache.org/jira/browse/KAFKA-1686 > Project: Kafka > Issue Type: Sub-task > Components: security > Affects Versions: 0.9.0 > Reporter: Jay Kreps > Assignee: Sriharsha Chintalapani > Fix For: 0.9.0 > > > Implement SASL/Kerberos authentication. > To do this we will need to introduce a new SASLRequest and SASLResponse pair > to the client protocol. This request and response will each have only a > single byte[] field and will be used to handle the SASL challenge/response > cycle. Doing this will initialize the SaslServer instance and associate it > with the session in a manner similar to KAFKA-1684. > When using integrity or encryption mechanisms with SASL we will need to wrap > and unwrap bytes as in KAFKA-1684 so the same interface that covers the > SSLEngine will need to also cover the SaslServer instance. -- This message was sent by Atlassian JIRA (v6.3.4#6332)