From dad7e004d54485c4cea94c2175a326668c297240 Mon Sep 17 00:00:00 2001 From: Kai Moritz Date: Sat, 14 Oct 2023 19:20:40 +0200 Subject: [PATCH] SASL-Authorisierung von PLAIN auf SCRAM-SHA-512 umgestellt --- README.sh | 27 ++++++++++- docker/client.properties | 6 +-- docker/docker-compose.yml | 97 ++++++++++++++------------------------- 3 files changed, 63 insertions(+), 67 deletions(-) diff --git a/README.sh b/README.sh index 3e1f0db..372aac6 100755 --- a/README.sh +++ b/README.sh @@ -11,6 +11,31 @@ fi docker-compose -f docker/docker-compose.yml up --remove-orphans setup || exit 1 docker-compose -f docker/docker-compose.yml ps +docker-compose -f docker/docker-compose.yml exec cli kafka-configs \ + --zookeeper zookeeper:2181 \ + --alter \ + --add-config 'SCRAM-SHA-512=[password=schemaregistry-secret]' \ + --entity-type users \ + --entity-name schemaregistry +docker-compose -f docker/docker-compose.yml exec cli kafka-configs \ + --zookeeper zookeeper:2181 \ + --alter \ + --add-config 'SCRAM-SHA-512=[password=connect-secret]' \ + --entity-type users \ + --entity-name connect +docker-compose -f docker/docker-compose.yml exec cli kafka-configs \ + --zookeeper zookeeper:2181 \ + --alter \ + --add-config 'SCRAM-SHA-512=[password=ui-secret]' \ + --entity-type users \ + --entity-name ui +docker-compose -f docker/docker-compose.yml exec cli kafka-configs \ + --zookeeper zookeeper:2181 \ + --alter \ + --add-config 'SCRAM-SHA-512=[password=client-secret]' \ + --entity-type users \ + --entity-name client + # Nicht nötig, da `super.users=User:ANONYMOUS` gesetzt wurde # Ohne diesen Eintrag wären diverse ACLs nötig, bevor BROKER funktioniert! # docker-compose exec cli kafka-acls --authorizer-properties zookeeper.connect=zookeeper zookeeper:2181 --add --allow-principal User:ANONYMOUS --operation ALL --topic __CruiseControlMetrics --group=* @@ -30,7 +55,7 @@ docker-compose -f docker/docker-compose.yml exec cli kafka-acls \ --topic _schemas \ --operation=DescribeConfigs -kafkacat -L -b :9092 -Xsecurity.protocol=sasl_plaintext -Xsasl.mechanisms=PLAIN -Xsasl.username=client -Xsasl.password=client-secret +kafkacat -L -b :9092 -Xsecurity.protocol=sasl_plaintext -Xsasl.mechanisms=SCRAM-SHA-512 -Xsasl.username=client -Xsasl.password=client-secret docker-compose -f docker/docker-compose.yml up -d schema-registry while [[ ! $(http :8085/subjects 2> /dev/null) ]]; do echo Waiting for schema-registry; sleep 1; done diff --git a/docker/client.properties b/docker/client.properties index 8a04387..900c056 100644 --- a/docker/client.properties +++ b/docker/client.properties @@ -1,5 +1,5 @@ -sasl.mechanism=PLAIN -security.protocol=SASL_PLAINTEXT -sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ +sasl.mechanism=SCRAM-SHA-512 +security.protocol=SASL_PLAINTEX +sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \ username="client" \ password="client-secret"; diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 64ab239..f4a4e98 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -32,17 +32,10 @@ services: -Dcom.sun.management.jmxremote.authenticate=false KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 - KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_schemaregistry="schemaregistry-secret" \ - user_connect="connect-secret" \ - user_ui="ui-secret" \ - user_client="client-secret"; - KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_client="client-secret"; + KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_DOCKER_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; + KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_LOCALHOST_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; KAFKA_INTER_BROKER_LISTENER_NAME: BROKER KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512 volumes: @@ -77,17 +70,10 @@ services: -Dcom.sun.management.jmxremote.authenticate=false KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 - KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_schemaregistry="schemaregistry-secret" \ - user_connect="connect-secret" \ - user_ui="ui-secret" \ - user_client="client-secret"; - KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_client="client-secret"; + KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_DOCKER_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; + KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_LOCALHOST_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; KAFKA_INTER_BROKER_LISTENER_NAME: BROKER KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512 volumes: @@ -127,17 +113,10 @@ services: -Dcom.sun.management.jmxremote.authenticate=false KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 - KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_schemaregistry="schemaregistry-secret" \ - user_connect="connect-secret" \ - user_ui="ui-secret" \ - user_client="client-secret"; - KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_client="client-secret"; + KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_DOCKER_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; + KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_LOCALHOST_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; KAFKA_INTER_BROKER_LISTENER_NAME: BROKER KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512 volumes: @@ -172,17 +151,10 @@ services: -Dcom.sun.management.jmxremote.authenticate=false KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 - KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_schemaregistry="schemaregistry-secret" \ - user_connect="connect-secret" \ - user_ui="ui-secret" \ - user_client="client-secret"; - KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_client="client-secret"; + KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_DOCKER_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; + KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_LOCALHOST_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; KAFKA_INTER_BROKER_LISTENER_NAME: BROKER KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512 volumes: @@ -211,10 +183,9 @@ services: SCHEMA_REGISTRY_LISTENERS: http://0.0.0.0:8085 SCHEMA_REGISTRY_LOG4J_ROOT_LOGLEVEL: INFO SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL: SASL_PLAINTEXT - SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM: PLAIN + SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM: SCRAM-SHA-512 SCHEMA_REGISTRY_KAFKASTORE_SASL_JAAS_CONFIG: > - org.apache.kafka.common.security.plain.PlainLoginModule - required + org.apache.kafka.common.security.scram.ScramLoginModule required username="schemaregistry" password="schemaregistry-secret"; ports: @@ -248,25 +219,25 @@ services: CONNECT_STATUS_STORAGE_REPLICATION_FACTOR: 1 CONNECT_PLUGIN_PATH: /usr/share/java/ # Configure the Connect workers to use SASL/PLAIN. - CONNECT_SASL_MECHANISM: PLAIN + CONNECT_SASL_MECHANISM: SCRAM-SHA-512 CONNECT_SECURITY_PROTOCOL: SASL_PLAINTEXT # JAAS CONNECT_SASL_JAAS_CONFIG: > - org.apache.kafka.common.security.plain.PlainLoginModule required + org.apache.kafka.common.security.scram.ScramLoginModule required username="connect" password="connect-secret"; # producer - CONNECT_PRODUCER_SASL_MECHANISM: PLAIN + CONNECT_PRODUCER_SASL_MECHANISM: SCRAM-SHA-512 CONNECT_PRODUCER_SECURITY_PROTOCOL: SASL_PLAINTEXT CONNECT_PRODUCER_SASL_JAAS_CONFIG: > - org.apache.kafka.common.security.plain.PlainLoginModule required + org.apache.kafka.common.security.scram.ScramLoginModule required username="connect" password="connect-secret"; # consumer - CONNECT_CONSUMER_SASL_MECHANISM: PLAIN + CONNECT_CONSUMER_SASL_MECHANISM: SCRAM-SHA-512 CONNECT_CONSUMER_SECURITY_PROTOCOL: SASL_PLAINTEXT CONNECT_CONSUMER_SASL_JAAS_CONFIG: > - org.apache.kafka.common.security.plain.PlainLoginModule required + org.apache.kafka.common.security.scram.ScramLoginModule required username="connect" password="connect-secret"; @@ -352,8 +323,8 @@ services: properties: bootstrap.servers: "kafka:9092" security.protocol: SASL_PLAINTEXT - sasl.mechanism: PLAIN - sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="ui" password="ui-secret"; + sasl.mechanism: SCRAM-SHA-512 + sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="ui" password="ui-secret"; schema-registry: url: "http://schema-registry:8085" connect: @@ -374,8 +345,8 @@ services: spring.kafka.producer.properties.linger.ms: 100 spring.kafka.jaas.enabled: "true" spring.kafka.properties.security.protocol: SASL_PLAINTEXT - spring.kafka.properties.sasl.mechanism: PLAIN - spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret"; + spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 + spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="client-secret"; consumer-1: image: juplo/spring-consumer:1.0-SNAPSHOT @@ -384,8 +355,8 @@ services: spring.kafka.client-id: consumer-1 spring.kafka.jaas.enabled: "true" spring.kafka.properties.security.protocol: SASL_PLAINTEXT - spring.kafka.properties.sasl.mechanism: PLAIN - spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret"; + spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 + spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="client-secret"; consumer-2: image: juplo/spring-consumer:1.0-SNAPSHOT @@ -394,8 +365,8 @@ services: spring.kafka.client-id: consumer-1 spring.kafka.jaas.enabled: "true" spring.kafka.properties.security.protocol: SASL_PLAINTEXT - spring.kafka.properties.sasl.mechanism: PLAIN - spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret"; + spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 + spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="client-secret"; consumer-3: image: juplo/spring-consumer:1.0-SNAPSHOT @@ -404,8 +375,8 @@ services: spring.kafka.client-id: consumer-1 spring.kafka.jaas.enabled: "true" spring.kafka.properties.security.protocol: SASL_PLAINTEXT - spring.kafka.properties.sasl.mechanism: PLAIN - spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret"; + spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 + spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="client-secret"; volumes: zookeeper-data: -- 2.20.1