Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Enabling one way TLS authentication in Kafka] ...

See original GitHub issue

Hi Team,

I have a question regarding the enabling of the one way TLS authentication, How do we achieve this and what change do we need in the Kafka CR.

Let’s say if I want to test producing messages on a particular topic on internal bootstrap with 9093, Do I need to disable the following configuration and then call the producer.sh by using only the Cluster CA crt, Is this called as 1-way TLS authentication?

tls:
        authentication:
          type: tls


./bin/kafka-console-producer.sh --broker-list mm-backup-cluster-kafka-bootstrap:9093 --topic mm-src-cluster.mm2-topic \
--producer-property security.protocol=SSL \
--producer-property ssl.truststore.type=PKCS12 \
--producer-property ssl.truststore.password=123456 \
--producer-property ssl.truststore.location=/tmp/certs/cluster.truststore.p12

need your inputs and help here.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:9 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
vperi1730commented, Jul 3, 2020

I have another question here, after enabling the tls: {}, Now i am able to hit the request with ANONYMOUS user, However, one of the issues I see is, ANONYMOUS doesn’t have access to a particular topic.

Question is, Do we need to manually add the ACLs for the ANONYMOUS user, or are they enable by default?

 ./bin/kafka-console-producer.sh --broker-list mm-backup-cluster-kafka-bootstrap:9093 --topic mm-src-cluster.mm2-topic \
> --producer-property security.protocol=SSL \
> --producer-property ssl.truststore.type=PKCS12 \
> --producer-property ssl.truststore.password=123456 \
> --producer-property ssl.truststore.location=/tmp/certs/cluster.truststore.p12
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
>ok
[2020-07-03 06:39:11,222] WARN [Producer clientId=console-producer] Error while fetching metadata with correlation id 3 : {mm-src-cluster.mm2-topic=TOPIC_AUTHORIZATION_FAILED} (org.apache.kafka.clients.NetworkClient)
[2020-07-03 06:39:11,223] ERROR [Producer clientId=console-producer] Topic authorization failed for topics [mm-src-cluster.mm2-topic] (org.apache.kafka.clients.Metadata)
[2020-07-03 06:39:11,224] ERROR Error when sending message to topic mm-src-cluster.mm2-topic with key: null, value: 2 bytes with error: (org.apache.kafka.clients.producer.internals.ErrorLoggingCallback)
org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [mm-src-cluster.mm2-topic]

here is my ACL’s list which doesn’t show any ANONYMOUS list.

./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=127.0.0.1:2181 --list
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Current ACLs for resource `Topic:LITERAL:*`:
        User:CN=client-producer-user has Allow permission for operations: Read from hosts: *
        User:CN=client-producer-user has Allow permission for operations: Write from hosts: *
        User:CN=client-producer-user has Allow permission for operations: Create from hosts: *
        User:CN=mm02-prod-user has Allow permission for operations: Write from hosts: *
        User:CN=mm02-prod-user has Allow permission for operations: Describe from hosts: *
        User:CN=mm02-prod-user has Allow permission for operations: Create from hosts: *
        User:CN=client-consumer-user has Allow permission for operations: Write from hosts: *
        User:CN=client-producer-user has Allow permission for operations: Describe from hosts: *
        User:CN=mm02-prod-user has Allow permission for operations: Read from hosts: *
        User:CN=client-consumer-user has Allow permission for operations: Read from hosts: *
        User:CN=client-consumer-user has Allow permission for operations: Describe from hosts: *
        User:CN=client-consumer-user has Allow permission for operations: Create from hosts: *

Current ACLs for resource `Group:LITERAL:connect-cluster`:
        User:CN=client-consumer-user has Allow permission for operations: All from hosts: *
        User:CN=mm02-prod-user has Allow permission for operations: Describe from hosts: *
  1. For disabling tls in external does the following configuration looks correct??
external:
        tls: false
        type: loadbalancer
0reactions
alokhomcommented, Aug 27, 2020

Kafka spec

apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
  creationTimestamp: '2020-08-25T14:38:29Z'
  generation: 11
  name: my-cluster
  namespace: kafka
  resourceVersion: '2334765'
  selfLink: /apis/kafka.strimzi.io/v1beta1/namespaces/kafka/kafkas/my-cluster
  uid: 984954e3-0c68-4ea0-a9e0-0d9e8f55f4a6
spec:
  entityOperator:
    topicOperator:
      reconciliationIntervalSeconds: 90
    userOperator:
      reconciliationIntervalSeconds: 120
  kafka:
    authorization:
      type: simple
    config:
      log.message.format.version: '2.5'
      offsets.topic.replication.factor: 3
      transaction.state.log.min.isr: 2
      transaction.state.log.replication.factor: 3
    listeners:
      external:
        authentication:
          type: tls
        overrides:
          bootstrap:
            host: bootstrap.apps.kafka.cluster42.openshift-enfo.se
          brokers:
            - broker: 0
              host: broker-0.apps.kafka.cluster42.openshift-enfo.se
            - broker: 1
              host: broker-1.apps.kafka.cluster42.openshift-enfo.se
            - broker: 2
              host: broker-2.apps.kafka.cluster42.openshift-enfo.se
        type: route
      plain:
        authentiation:
          type: scram-sha-512
      tls:
        authentiation:
          type: tls
    replicas: 3
    storage:
      class: rook-ceph-block
      size: 20Gi
      type: persistent-claim
    version: 2.5.0
  zookeeper:
    replicas: 3
    storage:
      type: ephemeral

Kafka Topic spec -

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaTopic
metadata:
  creationTimestamp: '2020-08-25T14:41:13Z'
  generation: 1
  labels:
    strimzi.io/cluster: my-cluster
  name: my-topic
  namespace: kafka
  resourceVersion: '1468960'
  selfLink: /apis/kafka.strimzi.io/v1beta1/namespaces/kafka/kafkatopics/my-topic
  uid: 52d65111-ba4f-49ad-bb56-1db93b35d60b
spec:
  config:
    retention.ms: 604800000
    segment.bytes: 1073741824
  partitions: 10
  replicas: 3

kafkaUser spec-

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
  creationTimestamp: '2020-08-26T20:03:09Z'
  generation: 3
  labels:
    strimzi.io/cluster: my-cluster
  name: my-user
  namespace: kafka
  resourceVersion: '2336125'
  selfLink: /apis/kafka.strimzi.io/v1beta1/namespaces/kafka/kafkausers/my-user
  uid: ecab2527-000a-47cb-bae8-e24f31bd2406
spec:
  authentication:
    type: tls
  authorization:
    acls:
      - host: '*'
        operation: Read
        resource:
          name: my-topic
          patternType: literal
          type: topic
      - host: '*'
        operation: Describe
        resource:
          name: my-topic
          patternType: literal
          type: topic
      - host: '*'
        operation: Read
        resource:
          name: my-group
          patternType: literal
          type: group
      - host: '*'
        operation: Write
        resource:
          name: my-topic
          patternType: literal
          type: topic
      - host: '*'
        operation: Create
        resource:
          name: my-topic
          patternType: literal
          type: topic
      - host: '*'
        operation: Describe
        resource:
          name: my-topic
          patternType: literal
          type: topic
    type: simple

I applied TLS on external and internal listeners I extracted the CA.cert to make a truststore. I extracted the user.p12 and user.password to make the keystore i used groupID my-group for Kafka Consumer to read data from topic my-user it works now to use an external Camel route application to connect to a Openshift Strimzi !!!

Request: It would be great if you provided a portal for the strimzi from the operator which:

  1. could show us data in the topics
  2. help configure/select the CA/User files from the namespace
  3. check the ZK
  4. provide a console that would help run the Kafka CLI commands like listing ACLs / etc. Other commands of Kafka.
  5. give us realtime/basic/5 min old analytics
  6. add/remove brokers make it a more easy for non Kafka technicians to do some day-2 operations. etc.
Read more comments on GitHub >

github_iconTop Results From Across the Web

Encrypt and Authenticate with TLS - Confluent Documentation
Technically speaking, TLS encryption already enables one-way authentication in which the client authenticates the server certificate.
Read more >
Securing Kafka with Mutual TLS and ACLs - Medium
The purpose of this article is to outline what it means to secure a Kafka installation with mutual TLS (Transport Layer Security), what...
Read more >
Configuring Your Kafka Server for Mutual TLS - Smallstep
Configure Kafka to require clients to authenticate with a certificate issued by your CA. To tell Kafka to use mutual TLS and not...
Read more >
How to configure clients to connect to Apache Kafka Clusters ...
Enabling TLS authentication on the Kafka Broker​​ By default, in a secure cluster, Kafka has a single listener that is configured for handling ......
Read more >
Kafka TLS/SSL Example Part 3: Configure Kafka - Vertica
Step 1: Create Truststore and Keystore; Step 2: Let Kafka Read Keystore and Truststore Files; Step 3: Edit Kafka Configuration to Use TLS/SSL...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Strimzi includes terms which are considered problematic in the modern climate

Next page

MirroMaker client authentication issue with external Kafka cluster