[jira] [Updated] (KAFKA-9486) Kafka Security

Kuttaiah (Jira) Thu, 30 Jan 2020 19:33:17 -0800


     [ 
https://issues.apache.org/jira/browse/KAFKA-9486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Kuttaiah updated KAFKA-9486:
----------------------------
    Description: 
My use case is to setup different protocol for inter-broker communication and 
producer/consumer to broker communication.

 

Hence I have below  broker configuration 

 
{quote}{{"zookeeper.sasl.enabled": false}}

{{ # Disable hostname verification, default is https.
 "ssl.endpoint.identification.algorithm":
 "inter.broker.listener.name": PLAINTEXT
 "listener.name.external.sasl.enabled.mechanisms": OAUTHBEARER
 "listener.name.external.oauthbearer.sasl.login.callback.handler.class": 
oracle.insight.common.kafka.security.OAuthBearerSignedLoginCallbackHandler
 "listener.name.external.oauthbearer.sasl.server.callback.handler.class": 
oracle.insight.common.kafka.security.OAuthBearerSignedValidatorCallbackHandler
 "listener.security.protocol.map": PLAINTEXT:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT
 "listener.name.external.oauthbearer.sasl.jaas.config": 
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required 
signedLoginStringClaim_ocid=insightAdmin 
signedLoginKeyServiceClass=oracle.insight.common.security.SMSKeyService 
signedValidatorKeyServiceClass=oracle.insight.common.security.SMSKeyService;
 "advertised.listeners": 
EXTERNAL://kafka-$((${KAFKA_BROKER_ID})).mydomain:$((${KAFKA_OUTSIDE_PORT} + 
${KAFKA_BROKER_ID}))}}

{{}}
{quote}
With this i always get 

 
{quote}{{[2020-01-30 17:23:55,228] INFO [SocketServer brokerId=0] Failed 
authentication with /10.244.0.1 (Unexpected Kafka request of type METADATA 
during SASL handshake.) (org.apache.kafka.common.network.Selector)
 [2020-01-30 17:23:55,633] INFO [SocketServer brokerId=0] Failed authentication 
with /10.244.0.1 (Unexpected Kafka request of type METADATA during SASL 
handshake.) (org.apache.kafka.common.network.Selector)
 [2020-01-30 17:23:55,989] INFO [SocketServer brokerId=0] Failed authentication 
with /10.244.0.1 (Unexpected Kafka request of type METADATA during SASL 
handshake.) (org.apache.kafka.common.network.Selector)}}
{quote}
{{}}

>From the logs it looks like  inter-broker communication is happening via SASL 
>even though I set it to PLAIN_TEXT
{quote}{{"inter.broker.listener.name": PLAINTEXT}}

{{}}
{quote}
{{Please guide me on what exactly is missing. This is critical for our release 
which is happening shortly.}}

{{}}

{{thanks}}

{{Robin Kuttaiah}}

  was:
My use case is to setup different protocol for inter-broker communication and 
producer/consumer to broker communication.

 

Hence I have below configuration 

 
{quote}{{"zookeeper.sasl.enabled": false}}

{{  # Disable hostname verification, default is https.
  "ssl.endpoint.identification.algorithm":
  "inter.broker.listener.name": PLAINTEXT
  "listener.name.external.sasl.enabled.mechanisms": OAUTHBEARER
  "listener.name.external.oauthbearer.sasl.login.callback.handler.class": 
oracle.insight.common.kafka.security.OAuthBearerSignedLoginCallbackHandler
  "listener.name.external.oauthbearer.sasl.server.callback.handler.class": 
oracle.insight.common.kafka.security.OAuthBearerSignedValidatorCallbackHandler
  "listener.security.protocol.map": PLAINTEXT:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT
  "listener.name.external.oauthbearer.sasl.jaas.config": 
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required 
signedLoginStringClaim_ocid=insightAdmin 
signedLoginKeyServiceClass=oracle.insight.common.security.SMSKeyService 
signedValidatorKeyServiceClass=oracle.insight.common.security.SMSKeyService;
  "advertised.listeners": 
EXTERNAL://kafka-$((${KAFKA_BROKER_ID})).mydomain:$((${KAFKA_OUTSIDE_PORT} + 
${KAFKA_BROKER_ID}))}}

{{}}
{quote}
With this i always get 

 
{quote}{{[2020-01-30 17:23:55,228] INFO [SocketServer brokerId=0] Failed 
authentication with /10.244.0.1 (Unexpected Kafka request of type METADATA 
during SASL handshake.) (org.apache.kafka.common.network.Selector)
[2020-01-30 17:23:55,633] INFO [SocketServer brokerId=0] Failed authentication 
with /10.244.0.1 (Unexpected Kafka request of type METADATA during SASL 
handshake.) (org.apache.kafka.common.network.Selector)
[2020-01-30 17:23:55,989] INFO [SocketServer brokerId=0] Failed authentication 
with /10.244.0.1 (Unexpected Kafka request of type METADATA during SASL 
handshake.) (org.apache.kafka.common.network.Selector)}}
{quote}
{{}}

>From the logs it looks like  inter-broker communication is happening via SASL 
>even though I set it to PLAIN_TEXT
{quote}{{"inter.broker.listener.name": PLAINTEXT}}

{{}}
{quote}
{{Please guide me on what exactly is missing. This is critical for our release 
which is happening shortly.}}

{{}}

{{thanks}}

{{Robin Kuttaiah}}


> Kafka Security
> --------------
>
>                 Key: KAFKA-9486
>                 URL: https://issues.apache.org/jira/browse/KAFKA-9486
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>            Reporter: Kuttaiah
>            Priority: Critical
>
> My use case is to setup different protocol for inter-broker communication and 
> producer/consumer to broker communication.
>  
> Hence I have below  broker configuration 
>  
> {quote}{{"zookeeper.sasl.enabled": false}}
> {{ # Disable hostname verification, default is https.
>  "ssl.endpoint.identification.algorithm":
>  "inter.broker.listener.name": PLAINTEXT
>  "listener.name.external.sasl.enabled.mechanisms": OAUTHBEARER
>  "listener.name.external.oauthbearer.sasl.login.callback.handler.class": 
> oracle.insight.common.kafka.security.OAuthBearerSignedLoginCallbackHandler
>  "listener.name.external.oauthbearer.sasl.server.callback.handler.class": 
> oracle.insight.common.kafka.security.OAuthBearerSignedValidatorCallbackHandler
>  "listener.security.protocol.map": PLAINTEXT:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT
>  "listener.name.external.oauthbearer.sasl.jaas.config": 
> org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required 
> signedLoginStringClaim_ocid=insightAdmin 
> signedLoginKeyServiceClass=oracle.insight.common.security.SMSKeyService 
> signedValidatorKeyServiceClass=oracle.insight.common.security.SMSKeyService;
>  "advertised.listeners": 
> EXTERNAL://kafka-$((${KAFKA_BROKER_ID})).mydomain:$((${KAFKA_OUTSIDE_PORT} + 
> ${KAFKA_BROKER_ID}))}}
> {{}}
> {quote}
> With this i always get 
>  
> {quote}{{[2020-01-30 17:23:55,228] INFO [SocketServer brokerId=0] Failed 
> authentication with /10.244.0.1 (Unexpected Kafka request of type METADATA 
> during SASL handshake.) (org.apache.kafka.common.network.Selector)
>  [2020-01-30 17:23:55,633] INFO [SocketServer brokerId=0] Failed 
> authentication with /10.244.0.1 (Unexpected Kafka request of type METADATA 
> during SASL handshake.) (org.apache.kafka.common.network.Selector)
>  [2020-01-30 17:23:55,989] INFO [SocketServer brokerId=0] Failed 
> authentication with /10.244.0.1 (Unexpected Kafka request of type METADATA 
> during SASL handshake.) (org.apache.kafka.common.network.Selector)}}
> {quote}
> {{}}
> From the logs it looks like  inter-broker communication is happening via SASL 
> even though I set it to PLAIN_TEXT
> {quote}{{"inter.broker.listener.name": PLAINTEXT}}
> {{}}
> {quote}
> {{Please guide me on what exactly is missing. This is critical for our 
> release which is happening shortly.}}
> {{}}
> {{thanks}}
> {{Robin Kuttaiah}}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (KAFKA-9486) Kafka Security

Reply via email to