-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No support for security #70
Comments
I would like to throw my hat in for ssl support. It would be great if it could be integrated. |
sorry not close to this topic anymore. but there are plenty of examples online around kerberos, plaintext, sasl and ssl. Sincerely. |
@fgeller I am specifically interested in the ssl configuration. The wurstmeister/kafka image has a mention of the ssl configuration here, but it doesn't go into the details of setting it up. I am mainly familear with kafka from a consumer standpoint and don't have a whole lot of experience setting up the brokers. The Kafka documentation tells you which configs you need to specify. |
Now I am closer than ever... https://github.com/orefalo/docker-kafka-ssl |
I've used this tls branch of a The We've talked on my team about submitting a PR for this but have struggled with how to implement tests that are valid. |
+1 for this feature, it's hard to use in production without this. |
If you're using JKS you can try my fork: https://github.com/tsjnsn/kt # JKS
$ kt consume -verbose -topic test -offsets oldest -keystore keystore.jks -keypass somepassword -keyalias clientCertAlias -caalias authorityAlias -brokers broker1:9092
# PEM
$ kt consume -verbose -topic test -offsets oldest -key keystore.pem -cert ca.crt -brokers broker1:9092 Still needs some work before a PR though |
https://github.com/confluentinc/cp-demo gives a docker-compose that comes up with security enabled. This can be used quickly as a basis for testing security configurations against kt |
linking #86 |
hey everyone, quick update: @rwaweber implemented functionality to use TLS to encrypt the connection to brokers, cf #86 and thanks again @rwaweber :) had some time to read up on the different auth mechanisms that kafka and sarama support and would like to proceed like this:
{ "type": "TLS", "key": "/path/to/key", "ca": "/path/to/ca", "certificate": "/path/to/cert" } keen to get feedback as always |
Hi @fgeller Good job! Really like kt, it's neat. Unfortunately, In my company, we don't use passwords. We use 2 way SSL - IT Security policy! Sincerely, |
Hi @orefalo - glad it's a tool that helps :) Could you provide a code snippet, preferrably in Go [using sarama] that shows how you authenticate a client? |
cheers @tsjnsn ! That looks a lot like what we're doing at the moment thanks to @rwaweber: setupCerts - besides the key store handling above the line that you link, or am I missing something? |
I am afraid I don’t code in Go. I use your tool from the command line ;-) My stuff is here… It generates the keys, stands up a server and has Java and node.js clients. I guess GO will use a similar configuration to node.js (no Java specific JKS stuff). Oli |
@orefalo fair enough :) should be able read the node.js bits - will give that a go tomorrow, cheers! |
For all that are interested in using the tool to securely consume from topic, here is a quick oneliner that will consume from topic
|
I would also recommend this issue be |
Also another resource on how to build certificates, if you want to test: ReferenceHow to generate self-signed certificates
|
It's working like a charm :) I just wish we could have env vars for those too 👍 |
this break the existing ui for auth, replacing the former tlsCA, tlsCert, tlsCertKey arguments with a single JSON configuration file that will allow a single interface when adding more auth methods and makes support for configuration via ENV variables easier. $ # for example: $ kt topic -tlsca x -tlscert y -tlscertkey z $ # becomes $ kt topic -auth auth.json $ cat auth.json { "mode": "TLS", "ca-certificate": "x", "client-certificate": "y", "client-certificate-key": "z" }
hey all -- it's been a while, sorry again for the delay - i have been a full-time dad for the past 2.5 years and only recently resumed work on my github projects. i've finally gotten around to setting up the system tests such that we have some automated testing for the authentication features and that allowed me to apply the changes i mentioned in the above comment more confidently. let me know if you run into any trouble by creating an issue with details please. also, if you are looking for a different authentication mechanism, please create a github issue with details - or add a pull request 😉 |
this break the existing ui for auth, replacing the former tlsCA, tlsCert, tlsCertKey arguments with a single JSON configuration file that will allow a single interface when adding more auth methods and makes support for configuration via ENV variables easier. $ # for example: $ kt topic -tlsca x -tlscert y -tlscertkey z $ # becomes $ kt topic -auth auth.json $ cat auth.json { "mode": "TLS", "ca-certificate": "x", "client-certificate": "y", "client-certificate-key": "z" } Co-Authored-By: Enrique J. Hernández <enrique@heetch.com>
Co-Authored-By: Enrique J. Hernández <enrique@heetch.com>
Can't connect to a SASL_SSL SASL_PLAINTEXT or even PLAINTEXT authenticated cluster
The text was updated successfully, but these errors were encountered: