SASL-Authorisierung von PLAIN auf SCRAM-SHA-512 umgestellt config/sasl-scram
authorKai Moritz <kai@juplo.de>
Sat, 14 Oct 2023 17:20:40 +0000 (19:20 +0200)
committerKai Moritz <kai@juplo.de>
Fri, 10 Nov 2023 13:41:28 +0000 (14:41 +0100)
README.sh
docker/client.properties
docker/docker-compose.yml

index c430024..84a39a8 100755 (executable)
--- a/README.sh
+++ b/README.sh
@@ -35,7 +35,34 @@ fi
 docker-compose -f docker/docker-compose.yml up --remove-orphans setup || exit 1
 
 kafkacat -L -b :9092
-kafkacat -L -b :9092 -Xsecurity.protocol=sasl_plaintext -Xsasl.mechanisms=PLAIN -Xsasl.username=client -Xsasl.password=client-secret
+kafkacat -L -b :9092 -Xsecurity.protocol=sasl_plaintext -Xsasl.mechanisms=SCRAM-SHA-512 -Xsasl.username=client -Xsasl.password=client-secret
+
+docker-compose -f docker/docker-compose.yml exec cli kafka-configs \
+  --zookeeper zookeeper:2181 \
+  --alter \
+  --add-config 'SCRAM-SHA-512=[password=schemaregistry-secret]' \
+  --entity-type users \
+  --entity-name schemaregistry
+docker-compose -f docker/docker-compose.yml exec cli kafka-configs \
+  --zookeeper zookeeper:2181 \
+  --alter \
+  --add-config 'SCRAM-SHA-512=[password=connect-secret]' \
+  --entity-type users \
+  --entity-name connect
+docker-compose -f docker/docker-compose.yml exec cli kafka-configs \
+  --zookeeper zookeeper:2181 \
+  --alter \
+  --add-config 'SCRAM-SHA-512=[password=ui-secret]' \
+  --entity-type users \
+  --entity-name ui
+docker-compose -f docker/docker-compose.yml exec cli kafka-configs \
+  --zookeeper zookeeper:2181 \
+  --alter \
+  --add-config 'SCRAM-SHA-512=[password=client-secret]' \
+  --entity-type users \
+  --entity-name client
+
+kafkacat -L -b :9092 -Xsecurity.protocol=sasl_plaintext -Xsasl.mechanisms=SCRAM-SHA-512 -Xsasl.username=client -Xsasl.password=client-secret
 
 # Nicht nötig, da `super.users=User:ANONYMOUS` gesetzt wurde
 # Ohne diesen Eintrag wären diverse ACLs nötig, bevor BROKER funktioniert!
index 8a04387..900c056 100644 (file)
@@ -1,5 +1,5 @@
-sasl.mechanism=PLAIN
-security.protocol=SASL_PLAINTEXT
-sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
+sasl.mechanism=SCRAM-SHA-512
+security.protocol=SASL_PLAINTEX
+sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
   username="client" \
   password="client-secret";
index c269dae..7b917e3 100644 (file)
@@ -27,17 +27,10 @@ services:
       KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO
       KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter
       KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091
-      KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN
-      KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: |
-        org.apache.kafka.common.security.plain.PlainLoginModule required \
-        user_schemaregistry="schemaregistry-secret" \
-        user_connect="connect-secret" \
-        user_ui="ui-secret" \
-        user_client="client-secret";
-      KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN
-      KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: |
-        org.apache.kafka.common.security.plain.PlainLoginModule required \
-        user_client="client-secret";
+      KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512
+      KAFKA_LISTENER_NAME_DOCKER_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required;
+      KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512
+      KAFKA_LISTENER_NAME_LOCALHOST_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required;
       KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512
     volumes:
       - kafka-1-data:/var/lib/kafka/data
@@ -64,17 +57,10 @@ services:
       KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO
       KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter
       KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091
-      KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN
-      KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: |
-        org.apache.kafka.common.security.plain.PlainLoginModule required \
-        user_schemaregistry="schemaregistry-secret" \
-        user_connect="connect-secret" \
-        user_ui="ui-secret" \
-        user_client="client-secret";
-      KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN
-      KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: |
-        org.apache.kafka.common.security.plain.PlainLoginModule required \
-        user_client="client-secret";
+      KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512
+      KAFKA_LISTENER_NAME_DOCKER_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required;
+      KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512
+      KAFKA_LISTENER_NAME_LOCALHOST_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required;
       KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512
     volumes:
       - kafka-2-data:/var/lib/kafka/data
@@ -106,17 +92,10 @@ services:
       KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO
       KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter
       KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091
-      KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN
-      KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: |
-        org.apache.kafka.common.security.plain.PlainLoginModule required \
-        user_schemaregistry="schemaregistry-secret" \
-        user_connect="connect-secret" \
-        user_ui="ui-secret" \
-        user_client="client-secret";
-      KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN
-      KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: |
-        org.apache.kafka.common.security.plain.PlainLoginModule required \
-        user_client="client-secret";
+      KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512
+      KAFKA_LISTENER_NAME_DOCKER_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required;
+      KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512
+      KAFKA_LISTENER_NAME_LOCALHOST_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required;
       KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512
     volumes:
       - kafka-3-data:/var/lib/kafka/data
@@ -143,17 +122,10 @@ services:
       KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO
       KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter
       KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091
-      KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN
-      KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: |
-        org.apache.kafka.common.security.plain.PlainLoginModule required \
-        user_schemaregistry="schemaregistry-secret" \
-        user_connect="connect-secret" \
-        user_ui="ui-secret" \
-        user_client="client-secret";
-      KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN
-      KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: |
-        org.apache.kafka.common.security.plain.PlainLoginModule required \
-        user_client="client-secret";
+      KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512
+      KAFKA_LISTENER_NAME_DOCKER_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required;
+      KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512
+      KAFKA_LISTENER_NAME_LOCALHOST_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required;
       KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512
     volumes:
       - kafka-4-data:/var/lib/kafka/data
@@ -179,10 +151,9 @@ services:
       SCHEMA_REGISTRY_LISTENERS: http://0.0.0.0:8085
       SCHEMA_REGISTRY_LOG4J_ROOT_LOGLEVEL: INFO
       SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL: SASL_PLAINTEXT
-      SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM: PLAIN
+      SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM: SCRAM-SHA-512
       SCHEMA_REGISTRY_KAFKASTORE_SASL_JAAS_CONFIG: >
-        org.apache.kafka.common.security.plain.PlainLoginModule
-        required
+        org.apache.kafka.common.security.scram.ScramLoginModule required
         username="schemaregistry"
         password="schemaregistry-secret";
     ports:
@@ -216,25 +187,25 @@ services:
       CONNECT_STATUS_STORAGE_REPLICATION_FACTOR: 1
       CONNECT_PLUGIN_PATH: /usr/share/java/
       # Configure the Connect workers to use SASL/PLAIN.
-      CONNECT_SASL_MECHANISM: PLAIN
+      CONNECT_SASL_MECHANISM: SCRAM-SHA-512
       CONNECT_SECURITY_PROTOCOL: SASL_PLAINTEXT
       # JAAS
       CONNECT_SASL_JAAS_CONFIG: >
-        org.apache.kafka.common.security.plain.PlainLoginModule required
+        org.apache.kafka.common.security.scram.ScramLoginModule required
         username="connect"
         password="connect-secret";
       # producer
-      CONNECT_PRODUCER_SASL_MECHANISM: PLAIN
+      CONNECT_PRODUCER_SASL_MECHANISM: SCRAM-SHA-512
       CONNECT_PRODUCER_SECURITY_PROTOCOL: SASL_PLAINTEXT
       CONNECT_PRODUCER_SASL_JAAS_CONFIG: >
-        org.apache.kafka.common.security.plain.PlainLoginModule required
+        org.apache.kafka.common.security.scram.ScramLoginModule required
         username="connect"
         password="connect-secret";
       # consumer
-      CONNECT_CONSUMER_SASL_MECHANISM: PLAIN
+      CONNECT_CONSUMER_SASL_MECHANISM: SCRAM-SHA-512
       CONNECT_CONSUMER_SECURITY_PROTOCOL: SASL_PLAINTEXT
       CONNECT_CONSUMER_SASL_JAAS_CONFIG: >
-        org.apache.kafka.common.security.plain.PlainLoginModule required
+        org.apache.kafka.common.security.scram.ScramLoginModule required
         username="connect"
         password="connect-secret";
 
@@ -320,8 +291,8 @@ services:
               properties:
                 bootstrap.servers: "kafka:9092"
                 security.protocol: SASL_PLAINTEXT
-                sasl.mechanism: PLAIN
-                sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="ui" password="ui-secret";
+                sasl.mechanism: SCRAM-SHA-512
+                sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="ui" password="ui-secret";
               schema-registry:
                 url: "http://schema-registry:8085"
               connect:
@@ -342,8 +313,8 @@ services:
       spring.kafka.producer.properties.linger.ms: 100
       spring.kafka.jaas.enabled: "true"
       spring.kafka.properties.security.protocol: SASL_PLAINTEXT
-      spring.kafka.properties.sasl.mechanism: PLAIN
-      spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret";
+      spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512
+      spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="client-secret";
 
   consumer-1:
     image: juplo/spring-consumer:1.0-SNAPSHOT
@@ -352,8 +323,8 @@ services:
       spring.kafka.client-id: consumer-1
       spring.kafka.jaas.enabled: "true"
       spring.kafka.properties.security.protocol: SASL_PLAINTEXT
-      spring.kafka.properties.sasl.mechanism: PLAIN
-      spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret";
+      spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512
+      spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="client-secret";
 
   consumer-2:
     image: juplo/spring-consumer:1.0-SNAPSHOT
@@ -362,8 +333,8 @@ services:
       spring.kafka.client-id: consumer-2
       spring.kafka.jaas.enabled: "true"
       spring.kafka.properties.security.protocol: SASL_PLAINTEXT
-      spring.kafka.properties.sasl.mechanism: PLAIN
-      spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret";
+      spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512
+      spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="client-secret";
 
   consumer-3:
     image: juplo/spring-consumer:1.0-SNAPSHOT
@@ -372,8 +343,8 @@ services:
       spring.kafka.client-id: consumer-3
       spring.kafka.jaas.enabled: "true"
       spring.kafka.properties.security.protocol: SASL_PLAINTEXT
-      spring.kafka.properties.sasl.mechanism: PLAIN
-      spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret";
+      spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512
+      spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="client-secret";
 
 volumes:
   zookeeper-data: