[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

Tue, 04 Nov 2014 09:40:00 -0800 

    [ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14196422#comment-14196422
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
-----------------------------------------------

[~junrao] I was thinking of using jaas.conf which is what we used for storm 
http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html.
It allows the service to renewTGT. Kerberos tickets can be valid for more than 
10hrs it depends the config /etc/krb5.conf. We can have renewTicket thread that 
checks for the current ticket_lifetime and renew_lifetime and renews if the 
current ticket lifetime expired.
Each broker will run with its own keytab kafkabroker/_HOST@REALM. If you are 
using service keytab they should've grant all permissions  in permissions 
manager. This could be as simple as setting a config option in permission 
manager where you can whitelist a principal as admin and use that principal for 
brokers. 
For example:
      kafka.admins: "kafkabroker"
and run all the brokers with kafkabroker/_HOST@REALM.
User needs to be careful in setting keytab permissions so that service keytabs 
cannot be accessed by regular user to impersonate a kafkabroker and gain all 
access. 

> Implement SASL/Kerberos
> -----------------------
>
>                 Key: KAFKA-1686
>                 URL: https://issues.apache.org/jira/browse/KAFKA-1686
>             Project: Kafka
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 0.9.0
>            Reporter: Jay Kreps
>            Assignee: Sriharsha Chintalapani
>             Fix For: 0.9.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to