version: '2'
services:
zookeeper:
image: wurstmeister/zookeeper
ports:
- "2181:2181"
kafka:
build: .
ports:
- "9092"
environment:
KAFKA_ADVERTISED_HOST_NAME: 192.168.0.87
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.auth.SimpleAclAuthorizer
KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "true"
volumes:
- /var/run/docker.sock:/var/run/docker.sockSSL Authentication and Authorization
Kafka Authorization is based on the following:
-
kafka-acls.sh utility for ACL management
-
authorizer.class.name configuration property
-
security.protocol configuration property
-
ssl.client.auth configuration property
|
Note
|
Apache Kafka 2.4.0 introduced KIP-504 - Add new Java Authorizer Interface for authorization. |
For SSL with client authentication enabled, TransportLayer#handshake() performs authentication. For SASL, authentication is performed by Authenticator#authenticate().
For SSL authentication, the principal will be derived using the rules defined by ssl.principal.mapping.rules applied on the distinguished name from the client certificate if one is provided. Otherwise, if client authentication is not required, the principal name will be ANONYMOUS.
For PLAINTEXT listeners or when client authentication is not required, the principal will always be ANONYMOUS.
|
Tip
|
Consult Demo: ACL Authorization. |
Demo
With Kafka in Docker (and the wurstmeister/kafka Docker image), use the following docker-compose.yml to use AclAuthorizer for authorization.
|
Caution
|
Review the demo to use AclAuthorizer.
|
docker-compose.yml
Run a 3-node Kafka cluster with authentication. Use the official documentation of kafka-docker for reference.
$ docker-compose up -d --scale kafka=3
Starting kafka-docker_kafka_1 ... done
Starting kafka-docker_kafka_2 ... done
Starting kafka-docker_kafka_3 ... done
Starting kafka-docker_zookeeper_1 ... done
$ docker-compose ps
Name Command State Ports
----------------------------------------------------------------------------------------------------------------------
kafka-docker_kafka_1 start-kafka.sh Up 0.0.0.0:32792->9092/tcp
kafka-docker_kafka_2 start-kafka.sh Up 0.0.0.0:32790->9092/tcp
kafka-docker_kafka_3 start-kafka.sh Up 0.0.0.0:32791->9092/tcp
kafka-docker_zookeeper_1 /bin/sh -c /usr/sbin/sshd ... Up 0.0.0.0:2181->2181/tcp, 22/tcp, 2888/tcp, 3888/tcp
// with no -f to check out the status at Kafka level
$ docker logs kafka-docker_kafka_1
...
INFO Kafka version: 2.3.0 (org.apache.kafka.common.utils.AppInfoParser)
INFO Kafka commitId: fc1aaa116b661c8a (org.apache.kafka.common.utils.AppInfoParser)
INFO Kafka startTimeMs: 1568969945089 (org.apache.kafka.common.utils.AppInfoParser)
INFO [KafkaServer id=1001] started (kafka.server.KafkaServer)
// Stop the cluster
$ docker-compose stop