Using SASL with librdkafka

Scope (WIP - NOT FINISHED, read something else)

This short tutorial outlines the steps required to:

1. Set up a simple Kerberos key distribution center (KDC)
2. Create keytabs
3. Configure Kafka brokers for SASL authentication of clients
4. Configure a librdkafka based client for SASL authentication

If Kerberos infrastructure is already in place jump to step 2.

Note: This guide assumes you have a Debian/Ubuntu system, other OS and distributions will have the same packages but names and paths miay be different.

#Overview

Kerberos keytabs (file-based pre-authenticated keys) are created for each broker in the cluster as well as for each client. They keytabs are distributed to the broker and client nodes respectively.

Decide on the following things:

• REALM - Your Kerberos realm, typically your operational domain in upper case. E.g., CONFLUENT.IO
• KDC_HOST - Host where kerberos runs, for simplicity we'll run it on the Kafka broker host. broker1
• SERVICENAME - The Kerberos service name, the service is Kafka so I suggest you use kafka.
• BROKER_HOST - Broker hostname, E.g., broker1. Quantify as necessary.
• CLIENT_HOST - Client hostname, i.e., where the client application runs, e.g., client1. Quantify as necessary.

#1. Set up Kerberos

NOTE: I strongly suggest to read Ubuntu's Kerberos guide.

Install the kerberos server:

sudo apt-get install krb5-kdc krb5-admin-server

Answer the questions accordingly:

• Default Kerberos version 5 realm: insert your REALM.
• Kerberos servers for your realm: insert your KDC_HOST
• Administrative server for your Kerberos realm: insert your KDC_HOST

#2. Create keytabs / cached authentication

#3. Configure Kafka broker

#4. Configure Kafka client

#5. Action