...
This configuration contains 3 Apache Kafka brokers in a cluster with a single Apache Zookeeper instance. Each broker mounts to the /tmp directory 2 folders: jks contains keystores and truststore for servers, client - contains client property file and client keystore/truststore.
...
Kafka environment variables are depends depend on the Kafka docker image, for example, bitnami/kafka
uses a prefix KAFKA_CFG_ for environment parameters. For wurstmeister kafka these values have been provided (Eventually, they will be added to the server.properties file in kafka Kafka instance):
Code Block | ||||
---|---|---|---|---|
| ||||
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181 KAFKA_TRANSACTION_STATE_LOG_MIN_ISR=2 KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR=2 KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR=3 KAFKA_LISTENER_SECURITY_PROTOCOL_MAP=INTERNAL:SSL,EXTERNAL:SSL KAFKA_INTER_BROKER_LISTENER_NAME=INTERNAL KAFKA_SSL_TRUSTSTORE_TYPE=jks KAFKA_SSL_TRUSTSTORE_LOCATION=/tmp/jks/kafka.truststore.jks KAFKA_SSL_TRUSTSTORE_PASSWORD=secret KAFKA_SSL_KEYSTORE_PASSWORD=secret KAFKA_SSL_KEY_PASSWORD=secret KAFKA_SSL_CLIENT_AUTH=required KAFKA_SSL_KEYSTORE_TYPE=jks KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM=HTTPS KAFKA_AUTHORIZER_CLASS_NAME=kafka.security.authorizer.AclAuthorizer KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND=false KAFKA_SUPER_USERS=User:kafka KAFKA_MIN_INSYNC_REPLICAS=2 KAFKA_MESSAGE_MAX_BYTES: 1000000 KAFKA_AUTO_CREATE_TOPICS_ENABLE=false KAFKA_SSL_PRINCIPAL_MAPPING_RULES='RULE:^CN=(.*?),OU=ServiceUsers.*$/$1/,RULE:^CN=(.*?),OU=(.*?),O=(.*?),L=(.*?),ST=(.*?),C=(.*?)$/$1@$2/L,RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/L,DEFAULT' |
...
Kafka clients should have it's own keystore/truststore pair and they should be added to the client configuration:
Spring Boot
Code Block | ||
---|---|---|
| ||
spring: kafka: sslsecurity: protocol: SSL key-password: ${keyPassword} key-store-typessl: jks key-store-location: ${keystoreLocationpath to client.keystore.jks} key-store-password: ${keystorePassword} trust-store-type: jks trust-store-location: ${truststoreLocation} trust-store-password: ${path to the client.truststore.jks} |
...
Producer/consumer settings used:include the following values from environment variables:
Code Block | ||
---|---|---|
| ||
security.protocol: SSL ssl.keykeystore.password={ca-key password} ssl.keystore.type=jks ssl.keystore.password=: ${keystore password) ssl.keystore.location=: ${path to the client.keystore.jks} ssl.truststore.type=jks ssl.truststore.password=password: ${truststorePassword} ssl.truststore.location=: ${path to the client.truststore.jks} |
...
To enable ACL following values should be added to the Kafka server.properties file
Code Block |
---|
ssl.client.auth=required allow.everyone.if.no.acl.found=false authorizer.class.name=kafka.security.authorizer.AclAuthorizer super.users=User:kafkassl.client.auth=required allow.everyone.if.no.acl.found=false authorizer.class.name=kafka.security.authorizer.AclAuthorizer super.users=User:kafka # These rules translate the DN as follows: CN=serviceuser,OU=ServiceUsers,O=Unknown,L=Unknown,ST=Unknown,C=Unknown to serviceuser and CN=adminUser,OU=Admin,O=Unknown,L=Unknown,ST=Unknown,C=Unknown to adminuser@admin. ssl.principal.mapping.rules=RULE:^CN=(.*?),OU=ServiceUsers.*$/$1/,RULE:^CN=(.*?),OU=(.*?),O=(.*?),L=(.*?),ST=(.*?),C=(.*?)$/$1@$2/L,RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/L,DEFAULT |
Enabling access for topics with the prefix
Script to enable producer/consumer access to ${username} for all topics with ${prefix}
Code Block | ||
---|---|---|
| ||
kafka-acls.sh --bootstrap-server ${kafkaHost} --command-config ${configPath} --add --allow-principal User:${username} --producer --topic ${prefix} --resource-pattern-type prefixed kafka-acls.sh --bootstrap-server ${kafkaHost} --command-config ${configPath} --add --allow-principal User:${username} --consumer-- topic ${prefix} --group ${consumerGroup} --resource-pattern-type prefixed |
Script to revoke access producer/consumer
Code Block | ||
---|---|---|
| ||
kafka-acls.sh --bootstrap-server ${kafkaHost} --command-config ${configPath} --remove --allow-principal User:${username} --producer --topic ${prefix} --resource-pattern-type prefixed kafka-acls.sh --bootstrap-server ${kafkaHost} --command-config ${configPath} --remove --allow-principal User:${username} --consumer-- topic ${prefix} --group ${consumerGroup} --resource-pattern-type prefixed |
...