Kafka auth internal & external

[ghost]

Hi,

I need to set up a cluster with the following requirements:

1. Enable an external App to write in one topic RegisterUser
2. Enable an internal App (in the same cluster as Kafka) to consume from the topic RegisterUser

I configured the Kafka cluster with the following listeners:

  listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls        
      - name: external
        port: 9094
        type: loadbalancer
        tls: true
        authentication:
          type: tls
    authorization:
        type: simple
        superUsers:
           - ANONYMOUS

and this is my user configuration:

 apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  name: my-user
  labels:
    strimzi.io/cluster: my-kafka-cluster
spec:
  authentication:
    type: tls
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: RegisterUser
          patternType: literal
        operation: Read
        host: "*"

I can produce from the external network using a load balancer on port 9094, but when I try to consume on the internal port 9092 I'm getting an error:
Broker: Group authorization failed

When I checked the pod logs I got the following:
INFO Principal = User:ANONYMOUS is Denied Operation

So i add

superUsers:
           - ANONYMOUS

Doing this internal clients bypassed by making ANONYMOUS a superuser.
I'm not able to connect to Kafka using the external listener without creds.
Is this approach safe? I still have the feeling that I'm missing something.

[scholzj]

You did not configured authentication on the listener on port 9092. So if you use it, the users will be treated as ANONYMOUS. So you need to either use the listeners with authentication or enable the authentication ont he 9092 listener as well.

Setting the ANONYMOUS user as super user will make it work as well, but obviously that is quite insecure.

[ghost]

Thanks for the reply :)
I don’t need securing port 9092, I mean only internal apps will be able to communicate with that listener and they are allowed.
If I add authentication on the listener on port 9092 need to be type: tls ? I want to avoid create certificates and keys for every microservice inside the cluster.
What you suggest to do?
I appreciate any example.

[scholzj]

I don’t need securing port 9092, I mean only internal apps will be able to communicate with that listener and they are allowed.

Well, your call of course. Keep in mind that as super users, these users can do anything. Including changing the ACLs for the external users for example. But if that works for you, sure.

If I add authentication on the listener on port 9092 need to be type: tls ? I want to avoid create certificates and keys for every microservice inside the cluster.

TLS authentication does not wok on listener without TLS. So you would need to use either the TLS enabled listener (you have it already on 9093) or use for example the SCRAM-SHA-512 authentication.