{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ら.Afraid 的问题《Can Kafka be provided with custom LoginModule to s》','https://www.manongdao.com/q-359057.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Kafka can be configured to use several authentication mechanisms: plaintext username/password, Kerberos or SSL. The first 2 use SASL, where there is a JAAS config file required.
For the plain text auth method, the config looks like (taken from the documentation):
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_alice="alice-secret";
};
I want to authenticate if possible using LDAP. My question is this: if I replace the PlainLoginModule with a class that implements LoginModule and place this class in the broker's classpath, can I implement authentication in any manner I wish (i.e. LDAP)?
I cannot use Kerberos in a reasonable fashion because of the way its principals are defined within the organisation where I'm working, hence I wish to use LDAP as I need to support RBAC.
Yes you can provide Kafka with a custom class that implements
LoginModuleand have the authentication logic you want in it.Then update the JAAS file with your class name and make sure it's in the classpath.
You'll need to put some boilerplate code to get everything setup correctly but you can use
PlainLoginModule,PlainSaslServerProvider,PlainSaslServerFactoryandPlainSaslServeras examples.Your
LoginModuleclass should have the same logic asPlainLoginModulebut instead initialize yourProviderimplementation (in the static block).Your
Providerclass should have the same logic asPlainSaslServerProviderbut instead reference yourSaslServerFactoryimplementation.Your
SaslFactoryclass should again have the same logic asPlainSaslServerFactorybut create an instance of yourSaslServerimplementation.Finally your
SaslServerclass should implement the necessary LDAP logic in itsevaluateResponse()method. Just be sure to set correctly setthis.authorizationIdas this will become the user principal and setcompletetotrue(likePlainSaslServer.evaluateResponse()does)