Security in Kafka Stages
The SASL authentication options provide two SASL mechanisms: PLAIN or GSSAPI (Kerberos).
Enabling security requires completing several prerequisite tasks in addition to configuring security properties in the stage.
Prerequisite Tasks
Before enabling security for a Kafka stage, complete the prerequisite tasks for the security method that you want to use:
- SSL/TLS
-
Complete the following prerequisite task before using SSL/TLS to connect to Kafka:
- Before using SSL/TLS to connect to Kafka, make sure Kafka is configured for SSL/TLS as described in the Kafka documentation.
- SASL with the PLAIN mechanism
- Complete the following prerequisite tasks before using SASL with the PLAIN
mechanism to connect to Kafka:
- Make sure Kafka is configured for SASL authentication with the PLAIN mechanism as described in the Kafka documentation.
- Define the user name and password credentials in a JAAS configuration file, as described in Providing PLAIN Credentials.
- SASL with the GSSAPI (Kerberos) mechanism
-
Complete the following prerequisite tasks before using SASL with the GSSAPI (Kerberos) mechanism to connect to Kafka:
- Make sure Kafka is configured for SASL authentication with the GSSAPI (Kerberos) mechanism as described in the Kafka documentation.
- Make sure that Kerberos authentication is enabled for Data Collector, as described in Kerberos Authentication.
-
Determine how to provide the Kerberos credentials and complete the required tasks as described in Providing Kerberos Credentials.
SASL Authentication Credentials
When using SASL authentication to connect to Kafka, the method that you use to provide credentials depends on whether you use the PLAIN or GSSAPI (Kerberos) SASL mechanism.
Providing PLAIN Credentials
To connect to Kafka using SASL authentication with the PLAIN mechanism, provide the credentials in a Java Authentication and Authorization Service (JAAS) file.
Create a JAAS configuration file on the Data Collector machine. You can define a single JAAS file for Data Collector. As a result, every Kafka connection in every pipeline that uses SASL authentication with the PLAIN mechanism uses the same credentials.
Add the following KafkaClient
login section to the
file:
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="<username>"
password="<password>";
};
-Djava.security.auth.login.config=<JAAS config path>/kafka_client_jaas.conf
Providing Kerberos Credentials
To connect to Kafka using SASL authentication with the GSSAPI (Kerberos) mechanism, you must provide the Kerberos credentials to use.
You can provide Kerberos credentials in either of the following ways. You can also use both methods, as needed:
- JAAS file
- Define Kerberos credentials in a Java Authentication and Authorization Service (JAAS) file when you want to use the same keytab and principal for every Kafka connection in every pipeline that you create. When configured, credentials defined in connection properties override JAAS file credentials.
- Stage properties
- You can define Kerberos credentials in stage properties when the Kafka stage uses a stage library for Kafka 0.11.0.0 or higher. Define Kerberos credentials in stage properties when you want to use different credentials in different Kafka stages.
For details on enabling Kafka connections to use SASL authentication with the GSSAPI (Kerberos) mechanism, see Enabling SASL Authentication or Enabling SASL Authentication on SSL/TLS.
Using a Credential Store
You can define Kerberos keytabs in a credential store, then call the appropriate keytab from a Kafka stage.
Defining Kerberos keytabs in a credential store allows you to store multiple keytabs for use by Kafka stages. It also provides flexibility in how you use the keytabs. For example, you might create two separate keytabs, one for Kafka origins and one for Kafka destinations. Or, you might provide separate keytabs for every Kafka stage that you define.
Using a credential store makes it easy to update keytabs without having to edit the stages that use them. This can simplify tasks such as recycling keytabs or migrating pipelines to production.
Make sure that Data Collector is configured to use a supported credential store. For a list of supported credential stores and instructions on enabling each credential store, see Credential Stores.
For an additional layer of security, you can require group access to credential store secrets.
Enabling SSL/TLS Encryption
When the Kafka cluster uses the Kafka SSL security protocol, enable the Kafka stage to use SSL/TLS encryption.
Before you enable Kafka stages to use SSL/TLS, make sure that you have performed all necessary prerequisite tasks. Then, perform the following steps to enable the Kafka stages to use SSL/TLS to connect to Kafka.
-
On the General tab of the stage, set the
Stage Library property to the appropriate Kafka
version.
-
On the Kafka tab of the stage, configure each Kafka
broker URI to use the SSL/TLS port.
The default SSL/TLS port number is 9093.
-
On the Security tab, configure the following
properties:
Security Property Description Security Option Set to SSL/TLS Encryption (Security Protocol=SSL). Truststore Type Type of truststore to use. Use one of the following types: - Java Keystore File (JKS)
- PKCS #12 (p12 file)
Default is Java Keystore File (JKS).
Truststore File Path to the truststore file. Enter an absolute path to the file or enter the following expression to define the file stored in the Data Collector resources directory: ${runtime:resourcesDirPath()}/keystore.jks
Truststore Password Password to the truststore file. Tip: To secure sensitive information such as passwords, you can use runtime resources or credential stores.Enabled Protocols Comma-separated list of protocols used to connect to the Kafka brokers. Ensure that at least one of these protocols is enabled in the Kafka brokers. Note: Older protocols are not as secure as TLSv1.2.
Enabling SSL/TLS Encryption and Authentication
When the Kafka cluster uses the Kafka SSL security protocol and requires client authentication, enable the Kafka stage to use SSL/TLS encryption and authentication.
Before you enable a Kafka stage to use SSL/TLS encryption and authentication, make sure that you have performed all necessary prerequisite tasks. Then, perform the following steps to enable the stage to use SSL/TLS encryption and authentication to connect to Kafka.
-
On the General tab of the stage, set the
Stage Library property to the appropriate Kafka
version.
-
On the Kafka tab of the stage, configure each Kafka
broker URI to use the SSL/TLS port.
The default SSL/TLS port number is 9093.
-
On the Security tab, configure the following
properties:
Security Property Description Security Option Set to SSL/TLS Encryption and Authentication (Security Protocol=SSL). Truststore Type Type of truststore to use. Use one of the following types: - Java Keystore File (JKS)
- PKCS #12 (p12 file)
Default is Java Keystore File (JKS).
Truststore File Path to the truststore file. Enter an absolute path to the file or enter the following expression to define the file stored in the Data Collector resources directory: ${runtime:resourcesDirPath()}/keystore.jks
Truststore Password Password to the truststore file. Tip: To secure sensitive information such as passwords, you can use runtime resources or credential stores.Keystore Type Type of keystore to use. Use one of the following types: - Java Keystore File (JKS)
- PKCS #12 (p12 file)
Default is Java Keystore File (JKS).
Keystore File Path to the keystore file. Enter an absolute path to the file or enter the following expression to define the file stored in the Data Collector resources directory: ${runtime:resourcesDirPath()}/keystore.jks
Keystore Password Password to the keystore file. Key Password Password for the key in the keystore file. Tip: To secure sensitive information such as passwords, you can use runtime resources or credential stores.Enabled Protocols Comma-separated list of protocols used to connect to the Kafka brokers. Ensure that at least one of these protocols is enabled in the Kafka brokers. Note: Older protocols are not as secure as TLSv1.2.
Enabling SASL Authentication
When the Kafka cluster uses the Kafka SASL_PLAINTEXT security protocol, enable the Kafka stage to use SASL authentication.
Before you enable Kafka stages to use SASL authentication, make sure that you have performed all necessary prerequisite tasks.
-
To use a Java Authentication and Authorization Service (JAAS) file to provide
plain or Kerberos credentials, create a JAAS configuration file on the Data Collector machine.
The contents of the JAAS configuration file depend on whether you use the PLAIN or GSSAPI (Kerberos) SASL mechanism and depend on your Data Collector installation and authentication type. For details, see Providing PLAIN Credentials or Providing Kerberos Credentials.
-
If using the GSSAPI (Kerberos) SASL mechanism and a
credential store to call keytabs from stage properties, add the Base64-encoded
keytabs that you want to use to the credential store.
Note: Be sure to remove unnecessary characters, such as newline characters, before encoding the keytab.
If you configured Data Collector to require group secrets, for each keytab secret that you define, create a group secret and specify a comma-separated list of groups allowed to access the keytab secret.
Name the group secret based on the keytab secret name, as follows:
<keytab secret name>-groups
.For details on defining secrets, see your credential store documentation.
-
On the General tab of the Kafka stage, set the
Stage Library property to the appropriate Kafka
version.
If using stage properties to define Kafka credentials, select a stage library for Kafka version 0.11.0.0 or later.
-
On the Security tab of the stage, configure the
following properties:
Security Property Description Security Option Set to SASL Authentication (Security Protocol=SASL_PLAINTEXT). SASL Mechanism SASL mechanism to use: - PLAIN
- GSSAPI (Kerberos)
Kerberos Service Name Kerberos service principal name that the Kafka brokers run as. Available when using the GSSAPI (Kerberos) mechanism.
Provide Keytab at Runtime Enables providing Kerberos credentials in the connection properties. Important: Configuring Kerberos credentials in connection properties is not supported in Transformer pipelines at this time.Available when using the GSSAPI (Kerberos) mechanism.
Runtime Keytab Kerberos keytab to use for the connection, specified in one of the following ways: - Enter a Base64-encoded keytab.
Be sure to remove unnecessary characters, such as newline characters, before encoding the keytab.
- If using a credential store, use the
credential:get()
orcredential:getWithOptions()
credential function to retrieve a Base64-encoded keytab.Note: The user who starts the pipeline must be in the Data Collector group specified in the credential function. When Data Collector requires a group secret, the user must also be in a group associated with the keytab.
For more information about using keytabs in a credential store, see Using a Credential Store.
Available when using the GSSAPI (Kerberos) mechanism.
Runtime Principal Kerberos principal to use for the connection, specified in the following format: <principal name>/<host name>@<realm>
.Available when using the GSSAPI (Kerberos) mechanism.
Enabling SASL Authentication on SSL/TLS
When the Kafka cluster uses the SASL_SSL security protocol, enable the Kafka stage to use SASL authentication on SSL/TLS.
Before you enable Kafka stages to use SASL authentication on SSL/TLS, make sure that you have performed all necessary prerequisite tasks.
-
To use a Java Authentication and Authorization Service (JAAS) file to provide
plain or Kerberos credentials, create a JAAS configuration file on the Data Collector machine.
The contents of the JAAS configuration file depend on whether you use the PLAIN or GSSAPI (Kerberos) SASL mechanism and depend on your Data Collector installation and authentication type. For details, see Providing PLAIN Credentials or Providing Kerberos Credentials.
-
If using the GSSAPI (Kerberos) SASL mechanism and a
credential store to call keytabs from stage properties, add the Base64-encoded
keytabs that you want to use to the credential store.
Note: Be sure to remove unnecessary characters, such as newline characters, before encoding the keytab.
If you configured Data Collector to require group secrets, for each keytab secret that you define, create a group secret and specify a comma-separated list of groups allowed to access the keytab secret.
Name the group secret based on the keytab secret name, as follows:
<keytab secret name>-groups
.For details on defining secrets, see your credential store documentation.
-
On the General tab of the Kafka stage, set the
Stage Library property to the appropriate Kafka
version.
If using stage properties to define Kafka credentials, select a stage library for Kafka version 0.11.0.0 or later.
-
On the Security tab of the stage, configure the
following properties:
Security Property Description Security Option Set to SASL Authentication on SSL/TLS (Security Protocol=SASL_SSL). SASL Mechanism SASL mechanism to use: - PLAIN
- GSSAPI (Kerberos)
Kerberos Service Name Kerberos service principal name that the Kafka brokers run as. Available when using the GSSAPI (Kerberos) mechanism.
Provide Keytab at Runtime Enables providing Kerberos credentials in the connection properties. Important: Configuring Kerberos credentials in connection properties is not supported in Transformer pipelines at this time.Available when using the GSSAPI (Kerberos) mechanism.
Runtime Keytab Kerberos keytab to use for the connection, specified in one of the following ways: - Enter a Base64-encoded keytab.
Be sure to remove unnecessary characters, such as newline characters, before encoding the keytab.
- If using a credential store, use the
credential:get()
orcredential:getWithOptions()
credential function to retrieve a Base64-encoded keytab.Note: The user who starts the pipeline must be in the Data Collector group specified in the credential function. When Data Collector requires a group secret, the user must also be in a group associated with the keytab.
For more information about using keytabs in a credential store, see Using a Credential Store.
Available when using the GSSAPI (Kerberos) mechanism.
Runtime Principal Kerberos principal to use for the connection, specified in the following format: <principal name>/<host name>@<realm>
.Available when using the GSSAPI (Kerberos) mechanism.
Truststore File Path to the truststore file. Enter an absolute path to the file or enter the following expression to define the file stored in the Data Collector resources directory: ${runtime:resourcesDirPath()}/keystore.jks
Truststore Password Password to the truststore file. Tip: To secure sensitive information such as passwords, you can use runtime resources or credential stores.Enabled Protocols Comma-separated list of protocols used to connect to the Kafka brokers. Ensure that at least one of these protocols is enabled in the Kafka brokers. Note: Older protocols are not as secure as TLSv1.2.Truststore Type Type of truststore to use. Use one of the following types: - Java Keystore File (JKS)
- PKCS #12 (p12 file)
Default is Java Keystore File (JKS).
Enabling Custom Authentication
To specify security requirements with custom properties, enable the Kafka stage to use custom authentication.
With custom authentication, you specify custom properties that contain the information required by the security protocol rather than using the properties in the stage. For example, you can enable custom authentication and then configure custom properties required for the SASL_SSL security protocol rather than enabling SASL Authentication on SSL/TLS.
Before enabling custom authentication, complete any necessary prerequisites for the security methods you are using, as described in the Kafka documentation. For example, if using SSL/TLS to connect to Kafka, you must make sure Kafka is configured for SSL/TLS.
- On the General tab of the stage, set the Stage Library property to the appropriate Kafka version.
-
On the Security tab, configure the following
properties:
Security Property Description Security Option Set to Custom Authentication (Security Protocol=CUSTOM). Custom Security Properties Additional security properties to use. In simple or bulk edit mode, click the Add icon to add properties. Define the security property name and value. Use the property names and values as expected for Kafka clients. For more information, see the Kafka documentation.
For example, to configure the SASL_SSL security protocol with the PLAIN mechanism, in Custom Security Properties you configure properties to set the protocol, to connect to the Java Authentication and Authorization Service (JAAS), and to use SSL/TLS:Name Value security.protocol SASL_SSL sasl.mechanism PLAIN sasl.jaas.config org.apache.kafka.common.security.plain.PlainLoginModule required \ username="<user name for JAAS>"\ password="<password>";
ssl.truststore.location <full path to the client truststore jks file> ssl.truststore.password <password>