Kafka Tutorial: Kafka Security

™
Kafka / Cassandra Support in EC2/AWS. Kafka Training, Kafka Consulting, Kafka
Tutorial
Cassandra and Kafka Support on AWS/EC2
Kafka Security
SSL Setup
TLS Setup
SASL
SASL Kerberos
ACLs
SASL Plain
SASL Scram

™
Tutorial

™
Tutorial
Kafka Security
❖ Authentication
❖ SASL, SSL
❖ Authorization
❖ Pluggable
❖ Encryption
❖ Communication SSL
❖ ACLS
3

™
Tutorial
Authentication
❖ Kafka Broker Authentication
❖ producers and consumers, brokers, tools
❖ SSL or SASL
❖ SASL is Simple Authentication and Security Layer
❖ Kafka supports the following SASL mechanisms:
❖ SASL/GSSAPI Kerberos
❖ SASL/PLAIN
❖ SASL/SCRAM-SHA-256 and SASL/SCRAM-SHA-512
❖ ZooKeeper Authentication
❖ brokers to ZooKeeper
4

™
Tutorial
Encryption and Authorization
❖ Encryption of data transferred (using SSL)
❖ broker, producer, consumers using
❖ Authorization
❖ read/write operations
❖ Pluggable Authorization
❖ integration with 3rd party providers
5

™
Tutorial
Kafka and SSL

™
Tutorial
SSL/TLS Overhead
❖ SSL/TLS have some overhead
❖ Especially true in JVM world which is not as performant for handling
SSL/TLS unless you are using Netty/OpenSSl integration
❖ Understanding SSL/TLS support for Kafka is important for developers,
DevOps and DBAs
❖ If possible, use no encryption for cluster communication, and deploy your
Kafka Cluster Broker nodes in a private subnet, and limit access to this
subnet to client transport
❖ Also if possible avoid using TLS/SSL on client transport and do client
operations from your app tier, which is located in a non-public subnet
7

™
Tutorial
Sometimes you have to encrypt
❖ However, that is not always possible to avoid TLS/SSL
❖ Regulations and commons sense
❖ U.S. Health Insurance Portability and Accountability Act (HIPAA),
Germany’s Federal Data Protection Act, The Payment Card Industry Data
Security Standard (PCI DSS), or U.S. Sarbanes-Oxley Act of 2002
❖ Or you might work for a bank or other financial institution
❖ Or it just might be a corporate policy to encrypt such transports.
❖ Kafka has essential security features: authentication, role-based
authorization, transport encryption, but is missing data at rest encryption,
up to you to encrypt records via OS file systems or use AWS KMS to
encrypt EBS volume
8

™
Tutorial
Encrypting client transports
❖ Data that travels over the client transport across a network could be accessed by someone you
don’t want accessing it
❖ with tools like wire shark.
❖ If data includes private information, SSN number, credentials (password, username), credit
card numbers or account numbers, then we want to make that data unintelligible (encrypted)
to any and all 3rd parties
❖ especially important if we don’t control the network
❖ You can also use TLS/SSL to ensure data has not been tampered with whilst traveling network
❖ Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols - designed to
provide these features
❖ Kafka is written in Java so uses JSSE framework for TLS support
❖ which in turn uses the Java Cryptography Architecture (JCA)
❖ Truststores are for Authentication
❖ Keystores are for Encryption
9

™
Tutorial
Avoid Man in the middle attacks
❖ Kafka Broker Config:
❖ ssl.endpoint.identification.algorithm=HTTPS
❖ Default `ssl.endpoint.identification.algorithm` is `null`
❖ not a secure default
❖ possible: man in the middle attacks
❖ HTTPS better option
❖ producers and consumers verify server's fully qualified domain
name (FQDN) against Common Name (CN) or Subject Alternative
Name (SAN)
10

™
Tutorial
Certificate Authority
❖ Each Kafka Broker in cluster has a public-private key pair,
and a certificate to identify broker
❖ To prevent forged certificates, you have to sign them
❖ Certificate authority (CA) signs certificates
❖ CA signs certificates
❖ signed certificates are hard to forge
❖ If you trust the CA, clients (producers, consumers, other
brokers) can trust the authenticity of Kafka brokers
11

™
Tutorial
Steps to use SSL for Consumer and
Producers
❖ Generate SSL key and certificate for each Kafka broker
❖ Generate cluster certificate into a keystore use keytool
❖ Generate or use CA (Certificate Authority) use openssl
❖ Import CA into Kafka’s truststore use keytool
❖ Sign cluster certificate with CA use openssl
❖ Import CA and signed cluster certificate into Kafka’s keystore use
keytool
❖ Run bin/create-ssl-key-keystore.sh copy files to /opt/kafka
❖ Configure servers (Kafka Broker)
❖ Configure clients (Kafka Producers, Kafka Consumers)
12

™
Tutorial
Common Variables for SSL Key Gen
❖ bin/create-ssl-key-keystore.sh
13

™
Tutorial
Generate cluster certificate into a keystore
❖ keytool ships with Java used for SSL/TLS
❖ —genkey generate a key
❖ —keystore location of keystore to add the key
❖ —keyalg RSA use the RSA algorithm for the key
❖ —alias Alias of the key we use this later to extract and sign key
❖ —storepass password for the keystore, —keypass password for
key
❖ —validity how many days is this key valid
14

™
Tutorial
Generate Certificate Authority - CA
❖ —req —new -x509 - create a new CA file using x509 format
❖ X.509 certificate contains a public key and an identity
❖ identify is hostname, or an organization, or an individual
❖ and is either signed by a certificate authority or self-signed
❖ —days how many days is this certificate valid
❖ —passin pass: / —passout pass: Passwords to access the certificate
❖ —subj Pass identity information about the certificate
15

™
Tutorial
Import CA into Kafka’s truststore
❖ -import -file $CERT_AUTH_FILE is CA file we
generated in the last step
❖ -keystore is location of trust keystore file
❖ —storepass password for the keystore, —keypass
password for key
16

™
Tutorial
Sign cluster certificate with CA
❖ Export the CLUSTER_CERT_FILE from the first step
from the keystore
❖ Then sign the CLUSTER_CERT_FILE with the CA
17

™
Tutorial
Import CA and Signed Cluster Certificate into Kafka’s
keystore
❖ Import the CA file into keystore
❖ it was already imported into the truststore
❖ Import the signed version of the cluster certificate into the
keystore
❖ This was the file we create in the last step
18

™
Tutorial
Generate / then Copy or move files so Kafka can
see them
❖ Copy and/or move files so that each Broker, Producer or
Consumer has access to /opt/kafka/conf/certs/
19
~/kafka-training/lab8/solution
$ bin/create-ssl-key-keystore.sh
Create the cluster key for cluster communication.
Create the Certificate Authority (CA) file to sign keys.
Generating a 1024 bit RSA private key
writing new private key to 'ca-key'
…
Certificate was added to keystore
Import the Signed Cluster Certificate into the key
store.
Certificate reply was installed in keystore
$ sudo cp -R resources/opt/kafka/ /opt/

™
Tutorial
Files generated
❖ ca-cert - Certificate Authority file - don’t ship this around
❖ kafka-cert - Kafka Certification File - public key and private key,
don’t ship this around
❖ kafka-cert-signed - Kafka Certification File signed with CA - don’t
ship around
❖ kafka.keystore - needed on all clients and servers
❖ kafka.truststore - needed on all clients and servers
20
$ ls /opt/kafka/conf/certs/
ca-cert kafka-cert
kafka-cert-signed kafka.keystore
kafka.truststore

™
Tutorial
Configure servers (Kafka Broker)
❖ Listeners configure protocols - Making Kafka available on SSL and plaintext
❖ Plaintext important for tools, block Plaintext at firewall or routes
❖ Passing in truststore and keystore locations and passwords
❖ security.inter.broker.protocol=SSL perhaps not needed if Kafka cluster on single private subnet
❖ SSL makes it go slower, and adds extra CPU load on Kafka Brokers
21

™
Tutorial
Setup Kafka Consumer for SSL
❖ Passing in truststore and keystore locations and
passwords
22

™
Tutorial
Setup Kafka Producer for SSL
❖ Passing in truststore and keystore locations and
passwords
23

™
Tutorial
Kafka and SASL

™
Tutorial
Kafka SASL Authentication - Brokers
❖ Kafka uses JAAS for SASL configuration
❖ Java Authentication and Authorization Service (JAAS)
❖ Kafka Broker JAAS config
❖ section name KafkaServer for JAAS file
❖ Provides SASL configuration options
❖ SASL client connections are configured
❖ Client section (-Dzookeeper.sasl.client=Client is default)
❖ Used to authenticate a SASL connection with zookeeper (service name, -
Dzookeeper.sasl.client.username=zookeeper by default)
❖ Allows Kafka brokers to set SASL ACL on zookeeper nodes
❖ locks nodes down so only brokers can modify ZooKeeper nodes
❖ Same principal must be used by all brokers in cluster
25

™
Tutorial
Kafka SASL Authentication - Clients
❖ Clients (Producers and Consumers) configure JAAS using client
configuration property sasl.jaas.config or using the static JAAS
config file
❖ Configure a login module in KafkaClient for the selected
mechanism GSSAPI (Kerberos), PLAIN or SCRAM
❖ -
Djava.security.auth.login.config=/opt/kafka/conf/kafka_consumer
_stocks_jaas.conf
26

™
Tutorial
SASL Broker config
❖ Kafka Broker Config : SASL configured with transport PLAINTEXT or SSL
❖ listeners=SASL_PLAINTEXT://hostname:port
❖ listener= SASL_SSL://hostname:port
❖ security.inter.broker.protocol=SASL_PLAINTEXT or SASL_SSL
❖ If SASL_SSL is used, then SSL has to be configured
❖ Kafka SASL Mechanisms
❖ GSSAPI (Kerberos)
❖ PLAIN
❖ SCRAM-SHA-256
❖ SCRAM-SHA-512
27

™
Tutorial
Kafka Authentication using SASL/Kerberos
❖ If you use Active Directory then no need to setup
Kerberos server
❖ If not using Active Directory you will need to install it
❖ If Oracle Java, download JCE policy files for your Java
version to $JAVA_HOME/jre/lib/security
28

™
Tutorial
SASL Kerberos: Create Kerberos Principals for
Kafka Broker
❖ Ask your Kerberos or Active Directory admin for a principal for each Kafka broker in
cluster
❖ Ensure all hosts are reachable using hostnames
❖ Kerberos requirement that all hosts are resolvable with FQDNs
❖ If running your own Kerberos server, create these principals
29
$ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey
kafka/{hostname}@{REALM}’
$ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{keytabname}.keytab
kafka/{hostname}@{REALM}”

™
Tutorial
SASL Kerberos: Configuring Kafka Brokers for
Kerberos
❖ Pass to JVM starting up broker
❖ -Djava.security.krb5.conf=/etc/kafka/krb5.conf
❖ -
Djava.security.auth.login.config=/var/kafka/conf/secutiry/kafka_server_j
aas.conf
30

™
Tutorial
SASL Kerberos: Configuring Kafka Broker Config for
Kerberos
❖ Configure SASL port and SASL mechanisms in server.properties as described
❖ Configure service name (sasl.kerberos.service.name),
❖ match principal name of the kafka brokers from JAAS config on last slide
❖ recall principal was “kafka/kafka-broker1.hostname.com@cloudurable.com"
❖ Set sasl.enabled.mechansim to GSSAPI (Kerberos)
❖ Set inter broker communication to SASL_PLAINTEXT or SASL_SSL
31

™
Tutorial
SASL Kerberos: Configuring Clients for SASL
Kerberos
❖ Sets the connection protocol to SASL_SSL
❖ encrypt with SSL, authenticate with SASL
❖ Sets the service name to Kafka
❖ Sets the sasl.mechanism to Kerberos (GSSAPI)
32

™
Tutorial
Kafka support multiple SASL Providers
❖ Kafka supports more than one SASL provider
33

™
Tutorial
Modifying SASL mechanism in a Running
Cluster
❖ SASL mechanism can be modified in a running cluster using the following sequence:
❖ Enable new SASL mechanism
❖ add mechanism sasl.enabled.mechanisms in Broker Config server.properties
❖ Update JAAS config file to include both mechanisms as describe
❖ Bounce one Kafka Broker at a time
❖ Restart clients using new mechanism.
❖ Change mechanism of inter-broker communication (if this is required), set
sasl.mechanism.inter.broker.protocol in Broker Config server.properties to new
mechanism and bounce Kafka Brokers one at a time
❖ Remove old mechanism (if this is required), remove old mechanism from
sasl.enabled.mechanisms in Broker Config server.properties and remove entries for
old mechanism from JAAS config file, and once again bounce Kafka Broker one at a
time
34

™
Tutorial
Adding ACLs to users
35

™
Tutorial
Kafka and SASL Plain

™
Tutorial
Kafka SASL Plain
❖ SASL/PLAIN
❖ simple username/password authentication mechanism used with TLS for encryption to
implement secure authentication
❖ Kafka supports a default implementation for SASL/PLAIN
❖ Use SASL/PLAIN with SSL only as transport layer
❖ ensures no clear text passwords are not transmitted
❖ Default implementation of SASL/PLAIN in Kafka specifies usernames and passwords in
JAAS conf
❖ To avoid storing passwords on disk, use your own implementation of
javax.security.auth.spi.LoginModule
❖ Or use disk encryption
❖ Use org.apache.kafka.common.security.plain.PlainLoginModule as an example.
37

™
Tutorial
Kafka SASL Plain
❖ In production systems, external authentication servers may implement
password authentication
❖ Kafka brokers can be integrated to work with these servers by adding
your own implementation of javax.security.sasl.SaslServer
❖ Default implementation included in Kafka in the package
org.apache.kafka.common.security.plain can be used as an
example
❖ New JaaS providers must be installed and registered at the JVM level
❖ CLASSPATH or JAVA_HOME/lib/ext
❖ Providers can be registered statically by adding a provider to the security
properties file JAVA_HOME/lib/security/java.security or dynamically
❖ or Dynamic Security.addProvider(new PlainSaslServerProvider());)
38

™
Tutorial
Steps to add Plain SASL via JAAS
❖ Create JAAS config for ZooKeeper add admin user
❖ Modify ZooKeeper properties file add SASL config
❖ Modify ZooKeeper startup script add JAAS config location
❖ Create JAAS config for Kafka Brokers add users (admin, consumer, producer)
❖ Modify Kafka Brokers properties file add SASL config
❖ Modify Kafka Broker startup script add JAAS config location
❖ Create JAAS config for Consumer add user
❖ Modify Consumer createConsumer() add SASL config and JAAS config
location
❖ Create JAAS config for Producer add user
❖ Modify Producer createProducer() add SASL config and JAAS config location
39

™
Tutorial
Create JAAS config for ZooKeeper
❖ To log into ZooKeeper, you would need user admin and kafka-123
❖ Located /opt/kafka/config/security/zookeeper_jass.conf
40

™
Tutorial
Modify ZooKeeper properties file
❖ Use Auth provider org.apache.zookeeper.server.auth.SASLAuthenticationProvider
❖ Require JaaS login via SASL
❖ config/zookeeper.properties
41

™
Tutorial
Modify ZooKeeper startup script
❖ bin/run-zookeeper.sh
❖ Copy JAAS config files to /opt/kafka/config/security
cp -R resources/opt/kafka/conf/security /opt/kafka/conf/
❖ KAFKA_OPTS used by kafka startup scripts to pass extra args to
JVM
42

™
Tutorial
Create JAAS config for Kafka Brokers
❖ /opt/kafka/conf/security/kafka_broker_jaas.conf
❖ Sets up users for admin for zookeeper, and for inter-broker
communication, and sets up users for consumers and producers
43

™
Tutorial
Modify Kafka Brokers Properties File
❖ config/server-2.properties, config/server-1.properties, config/server-0.properties
❖ Enabled SASL support to use PLAIN SASL
❖ Inter-broker communication is using SASL_SSL
❖ Producers and Consumers to use 10092, 10093, 10094 SASL_SSL protocol
44

™
Tutorial
Modify Kafka Broker Startup Script
❖ bin/start-1st-server.sh, bin/start-2nd-server.sh, bin/start-3rd-server.sh
❖ Set location of JaaS using system property java.security.auth.login.config
❖ JaaS file located at /opt/kafka/conf/security/kafka_broker_jaas.conf
❖ Must be copied there
❖ KAFKA_OPTS used by kafka startup scripts to pass extra args to JVM
45

™
Tutorial
Create JAAS config for Consumer
❖ /opt/kafka/conf/security/kafka_consumer_stocks_jaas.c
onf
❖ username is stocks_consumer, and password is
consumer123
❖ this username/password combo used to log into Brokers
46

™
Tutorial
Modify Consumer createConsumer()
❖ Modify Consumer createConsumer() add SASL config and JAAS
config location
47

™
Tutorial
Create JAAS Config for Producer
❖ /opt/kafka/conf/security/kafka_producer_stocks_jaas.conf
❖ username is stocks_producer, and password is producer123
❖ this username/password combo used to log into Kafka Brokers
48

™
Tutorial
Modify Producer createProducer()
❖ Modify Producer createProducer() add SASL config and
JAAS config location
49

™
Tutorial
Kafka and SASL SCRAM

™
Tutorial
SASL SCRAM
❖ SCRAM is Salted Challenge Response Authentication Mechanism
❖ RFC 5802
❖ SASL mechanisms addresses security concerns traditional mechanisms
❖ better than PLAIN and DIGEST-MD5
❖ Kafka supports SCRAM-SHA-256 and SCRAM-SHA-512 can be used
with SSL/TLS to perform secure authentication
❖ Username is used as authenticated Principal for configuration of ACLs
etc.
❖ Default SCRAM implementation stores SCRAM credentials in Zookeeper
51

™
Tutorial
Create SCRAM Users
52
❖ Create users admin, stocks_consumer, stocks_producer store in
ZooKeeper

™
Tutorial
Kafka Broker JAAS Scram Config
❖ Uses Scram for KafkaServer and Plain for ZooKeeper
53

™
Tutorial
Kafka Consumer/Producer JAAS Scram
Config
❖ Use Scram as login credentials
54

™
Tutorial
Configure SCRAM in Producer
❖ Configure SCRAM_SHA_256
55

™
Tutorial
Configure SCRAM in Consumer
❖ Configure SCRAM_SHA_256
56

™
Tutorial
Kafka and SASL SCRAM
❖ Kafka stores SCRAM credentials in Zookeeper
❖ Zookeeper should be on private network
❖ Kafka supports only SHA-256 and SHA-512 with a minimum
iteration count of 4096
❖ Strong hash functions, strong passwords, high iteration counts
protect against brute force attacks
❖ Use SCRAM only with SSL/TLS-encryption to wire snooping
❖ SASL/SCRAM implementation can be overridden using custom
login modules to store outside of ZooKeeper
57

Kafka Tutorial: Kafka Security

More Related Content

What's hot

Similar to Kafka Tutorial: Kafka Security

More from Jean-Paul Azar

Recently uploaded

Kafka Tutorial: Kafka Security

Editor's Notes