Kafka can be configured to use several authentication mechanisms: plaintext username/password, Kerberos or SSL. The first 2 use SASL, where there is a JAAS config file required.
For the plain text auth method, the config looks like (taken from the documentation):
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_alice="alice-secret";
};
I want to authenticate if possible using LDAP. My question is this: if I replace the PlainLoginModule
with a class that implements LoginModule and place this class in the broker's classpath, can I implement authentication in any manner I wish (i.e. LDAP)?
I cannot use Kerberos in a reasonable fashion because of the way its principals are defined within the organisation where I'm working, hence I wish to use LDAP as I need to support RBAC.
Yes you can provide Kafka with a custom class that implements
LoginModule
and have the authentication logic you want in it.Then update the JAAS file with your class name and make sure it's in the classpath.
You'll need to put some boilerplate code to get everything setup correctly but you can use
PlainLoginModule
,PlainSaslServerProvider
,PlainSaslServerFactory
andPlainSaslServer
as examples.Your
LoginModule
class should have the same logic asPlainLoginModule
but instead initialize yourProvider
implementation (in the static block).Your
Provider
class should have the same logic asPlainSaslServerProvider
but instead reference yourSaslServerFactory
implementation.Your
SaslFactory
class should again have the same logic asPlainSaslServerFactory
but create an instance of yourSaslServer
implementation.Finally your
SaslServer
class should implement the necessary LDAP logic in itsevaluateResponse()
method. Just be sure to set correctly setthis.authorizationId
as this will become the user principal and setcomplete
totrue
(likePlainSaslServer.evaluateResponse()
does)