To connect to Kafka using SASL
authentication with the GSSAPI (Kerberos) mechanism, you must provide the Kerberos
credentials to use.
You can provide Kerberos credentials in either of the following ways. You can also use
both methods, as needed:
- JAAS file
- Define Kerberos credentials in a Java Authentication and
Authorization Service (JAAS) file when you want to use the same keytab and
principal for every Kafka connection in every pipeline that you create. When
configured, credentials defined in connection properties override JAAS file
credentials.
- You might use this method to provide a default keytab and
principal. Then, use connection properties to specify different credentials,
as needed.
- To use a JAAS file, create a separate JAAS configuration file
on the Data Collector machine. Add the following
KafkaClient login section to
the
file:KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="<keytab path>"
principal="<principal name>/<host name>@<realm>";
};
Then
modify the Java configuration options used by the deployment to include the
option that defines the path to the JAAS configuration file. In Control Hub, edit the
deployment. In the Configure Engine section, click
Advanced Configuration. Then, click Java
Configuration. Add the following option to the Java Options
property:-Djava.security.auth.login.config=<JAAS config path>/kafka_client_jaas.conf
-
Add the configuration properties required for Kafka clients
based on your installation and authentication type:
- Tarball, RPM, or Cloudera Manager installation without LDAP
authentication - If Data Collector does not use LDAP authentication, create a separate JAAS
configuration file on the Data Collector machine. Add the following
KafkaClient login
section to the
file:KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="<keytab path>"
principal="<principal name>/<host name>@<realm>";
};
For
example:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytabs/kafka_client.keytab"
principal="kafka/node-01.cluster@EXAMPLE.COM";
};
Then modify the SDC_JAVA_OPTS environment variable to
include the following option that defines the path to the JAAS
configuration
file:
-Djava.security.auth.login.config=<JAAS config path>/kafka_client_jaas.conf
Modify environment variablesModify environment
variables using the method required by your installation
type.
- Tarball or RPM installation with LDAP authentication - If
LDAP authentication is enabled in a tarball or
RPM installation, add the properties to the JAAS
configuration file used by Data Collector - the
$SDC_CONF/ldap-login.conf file. Add the
following KafkaClient login section to the end of
the ldap-login.conf
file:KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="<keytab path>"
principal="<principal name>/<host name>@<realm>";
};
For
example:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytabs/kafka_client.keytab"
principal="kafka/node-01.cluster@EXAMPLE.COM";
};
- Cloudera Manager installation with LDAP
authentication - If LDAP authentication is enabled
in a Cloudera Manager installation, enable the LDAP Config File
Substitutions (ldap.login.file.allow.substitutions) property for the
StreamSets service in Cloudera Manager.
If the Use Safety Valve to
Edit LDAP Information (use.ldap.login.file) property is enabled
and LDAP authentication is configured in the Data Collector
Advanced Configuration Snippet (Safety Valve) for
ldap-login.conf field, then add the JAAS configuration
properties to the same ldap-login.conf safety valve.
If
LDAP authentication is configured through the LDAP properties
rather than the ldap-login.conf safety value, add the JAAS
configuration properties to the Data Collector Advanced
Configuration Snippet (Safety Valve) for
generated-ldap-login-append.conf field.
Add the following
KafkaClient login section to the
appropriate field as
follows:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="_KEYTAB_PATH"
principal="<principal name>/_HOST@<realm>";
};
For
example:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="_KEYTAB_PATH"
principal="sdc/_HOST@EXAMPLE.COM";
};
Cloudera
Manager generates the appropriate keytab path and host name.
- Stage properties
- You can define Kerberos credentials in stage properties when the Kafka stage
uses a stage library for Kafka 0.11.0.0 or higher. Define Kerberos
credentials in stage properties when you want to use different credentials
in different Kafka stages.
- If you also configure a JAAS file to provide Kerberos credentials, the
credentials that you enter in stage properties overrides those in the JAAS
file.
- To provide Kerberos credentials in stage properties, you select the Provide
Keytab property on the Security tab of the stage. You specify the principal
in plain text, then you use one of the following methods to specify the
keytab:
- Enter a Base64-encoded keytab in the Runtime Keytab
property.
Encode the keytab before entering it in the stage
property. Be sure to remove unnecessary characters, such as
newline characters, before encoding the keytab.
- Use a credential function to access a Base64-encoded keytab defined
in a credential store.
For more information, see Using a Credential Store.
Note: Configuring Kerberos credentials in stage properties is not
supported in cluster pipelines at this time.
For details on enabling Kafka connections to use SASL authentication with the GSSAPI
(Kerberos) mechanism, see Enabling SASL Authentication or
Enabling SASL Authentication on SSL/TLS.