Kafka auth per listener

[sofronic]

Hi,

I'm trying to set up an auth for for our kafka's external communication and leave plaintext for the k8s internal one. Not sure if it is even possible but here's my config:

    listeners:
      external:
        type: loadbalancer
        tls: true
        authentication:
          type: scram-sha-512
        overrides:
          bootstrap:
            address: kafka1
          brokers:
          - broker: 0
            advertisedHost: kafka-broker0
          - broker: 1
            advertisedHost: kafka-broker1
          - broker: 2
            advertisedHost: kafka-broker2
      plain:
        type: internal
        tls: false
        port: 9092
    authorization:
      type: simple
      superUsers: 
        - user1

This way the internal clinets are not able to connect since they are using the ANONYMOUS user. I've bypassed it by making it superuser:

      superUsers: 
        - user1
        - ANONYMOUS 

Now both internal on port 9092 and external on lb:9094 are both fine. I can use user1's creds and ca.crt file to connect to kafka . But I came accross an article that says: By granting read/write permission to the ANONYMOUS user, you are allowing anyone to access the brokers without authentication. As such, you should not grant access to ANONYMOUS users unless the intention is to give everyone the permission.

Still I'm not able to connect to our kafka using the external listener without creds using different GUIs and kafkacat. After I switch the security.protocol to something different then PLAINTEXT it's asking for password and cannot connect with ANONYMOUS . That's fine by me and it's what I aiming to achieve. But I'm still having the fealling that I'm missing something.

[scholzj]

But I came accross an article that says: By granting read/write permission to the ANONYMOUS user, you are allowing anyone to access the brokers without authentication. As such, you should not grant access to ANONYMOUS users unless the intention is to give everyone the permission.

Was this somewhere in the Strimzi website or docs? I do not think this is strictly speaking correct. AFAIK, giving the right to ANONYMOUS will not disable the authentication. the authentication will still be enforced on the external listener and the users using it will have to follow their own ACL rules. But the main message is of course still true => this is not really secure setup and everyone who gets access to your network will be able to connect to your cluster and do anything they want - including changing ACLs for the external users, deleting topics etc.

So what you have there, technically it is correct and should work. Is it a right secure design? Not really, but I'm happy to leave it to you if you really want to use this or not ;-).