This repository contains the Java source code implementation of an Apache Kafka plugin that performs client authentication against an external source such an an LDAP server. When configured to use this plugin, the Kafka broker will perform user authentication against the external source using the username and password provided by the Kafka client.
- Java JDK 15 or higher
The Kafka Authentication plugin build produces a Java jar file which must be added to the Kafka broker classpath. To produce the jar file using a local build command:
./gradlew clean build jar -x test
The result is the build/libs/kafka-authentication-plugin-<version>.jar which contains
all the class files which implement the SASL callback handler. This jar file
must be added to the classpath of the Kafka broker prior to starting the server.
You can do this by either copying the jar file into the $KAFKA_HOME/libs
directory or by setting the classpath environment variable:
export CLASSPATH="/path/to/jar/kafka-authentication-plugin-<version>.jar"
The plugin is configured by setting the following properties in the Kafka server.properties file:
-
listeners= localauth://localhost:9094 -
listener.name.localauth.plain.sasl.server.callback.handler.class= com.sas.kafka.auth.KafkaStaticAuthenticationHandler -
auth.static.credentials= credential1 credential2 etc
List of static credentials to authenticate against. The credentials must be specified as a space-delimited list in the following format:
username:base64salt:base64passwordThis credential string can be generated by using thisgenerateCredentialProperty.shscript at the root of this project.
The plugin is configured by setting the following properties in the Kafka server.properties file:
-
listeners= ldapauth://localhost:9095 -
listener.name.ldapauth.plain.sasl.server.callback.handler.class= com.sas.kafka.auth.KafkaLdapAuthenticationHandler -
auth.ldap.server.url= ldap://ldap.yourcompany.com:389
LDAP server address. The format isprotocol://hostname:port -
auth.ldap.bind.dn= DC=COMPANY,DC=com
LDAP bind DN for the account used to query the server -
auth.ldap.user.id= username
LDAP username for the account used to query the server -
auth.ldap.bind.password= password
LDAP password for the account used to query the server -
auth.cache.enabled= false
Enable the authentication cache. The authentication cache can be used to reduce the number of queries performed against the LDAP server. It can also help prevent user lockouts due to failed authentication attempts. The default value isfalse -
auth.cache.history.maxDepth= 10
Maximum number of user authentication attempts to keep in the cache. This correponds to the unique number of usernames that have attempted to authenticate. The default value is10 -
auth.cache.history.maxAge= 600000
Maximum age of authentication attempts to keep in the cache (in milliseconds). The default value is600000milliseconds (10 minutes).
To configure Log4J logging for the plugin, edit the log4j.properties file
typically found in the /etc/kafka directory:
log4j.rootLogger=INFO, stdout, kafkaAppender, requestAppender, authorizerAppender
log4j.appender.authorizerAppender=org.apache.log4j.RollingFileAppender
log4j.appender.authorizerAppender.File=${kafka.logs.dir}/kafka-authorizer.log
log4j.appender.authorizerAppender.MaxFileSize=10MB
log4j.appender.authorizerAppender.MaxBackupIndex=5
log4j.appender.authorizerAppender.append=true
log4j.appender.authorizerAppender.layout=org.apache.log4j.PatternLayout
log4j.appender.authorizerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n
We welcome your contributions! Please read CONTRIBUTING.md for details on how to submit contributions to this project.
This project is licensed under the Apache 2.0 License.
- KIP-86: Configurable SASL callback handlers
- Confluent Apache Kafka Security course
There are several open source alternatives to this library: