Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can Kafka be provided with custom LoginModule to support LDAP?

Tags:

ldap

apache-kafka

jaas

sasl

Kafka can be configured to use several authentication mechanisms: plaintext username/password, Kerberos or SSL. The first 2 use SASL, where there is a JAAS config file required.

For the plain text auth method, the config looks like (taken from the documentation):

KafkaServer {
   org.apache.kafka.common.security.plain.PlainLoginModule required
   username="admin"
   password="admin-secret"
   user_admin="admin-secret"
   user_alice="alice-secret";
};

I want to authenticate if possible using LDAP. My question is this: if I replace the PlainLoginModule with a class that implements LoginModule and place this class in the broker's classpath, can I implement authentication in any manner I wish (i.e. LDAP)?

I cannot use Kerberos in a reasonable fashion because of the way its principals are defined within the organisation where I'm working, hence I wish to use LDAP as I need to support RBAC.

like image 843
John Avatar asked Mar 08 '23 14:03

John

1 Answers

Yes you can provide Kafka with a custom class that implements LoginModule and have the authentication logic you want in it.

Then update the JAAS file with your class name and make sure it's in the classpath.

You'll need to put some boilerplate code to get everything setup correctly but you can use PlainLoginModule, PlainSaslServerProvider, PlainSaslServerFactory and PlainSaslServer as examples.

Your LoginModule class should have the same logic as PlainLoginModule but instead initialize your Provider implementation (in the static block).

Your Provider class should have the same logic as PlainSaslServerProvider but instead reference your SaslServerFactory implementation.

Your SaslFactory class should again have the same logic as PlainSaslServerFactory but create an instance of your SaslServer implementation.

Finally your SaslServer class should implement the necessary LDAP logic in its evaluateResponse() method. Just be sure to set correctly set this.authorizationId as this will become the user principal and set complete to true (like PlainSaslServer.evaluateResponse() does)

like image 197
Mickael Maison Avatar answered Apr 26 '23 02:04

Mickael Maison
Sign in to Comment

Related questions

Can't have JConsole read Kafka JMX
Reading latest in spark kafka streaming
Nested specific type de-serialization with Avro
Kafka Consumer Error - xxxx nodename nor servname provided, or not known
kafka-node consumer receives offsetOutOfRange error
Kafka Consumer subscription vs. assigned partition
what is the difference between kafka ProducerRecord and KeyedMessage
Deserialize Avro messages into specific datum using KafkaAvroDecoder
Spring kafka Consume multiple Message types in one consumer
Exception while accessing KafkaOffset from RDD
Desigining Kafka Topics - Many Topics vs One Big Topic
kafka Multi-Datacenter with high availability
Not able to start kafka with .\bin\windows\kafka-server-start.bat .\config\server.properties cmd
Kafka Consumers throwing java.lang.OutOfMemoryError: Direct buffer memory
Kafka not able to consume without reading from beginning -Java
How to assign client-id to a particular kafka producer or topic?
Kafka - Multiple consumers (only one active) on same group/topic

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!