From e4cb271d277870c29c00c9c0ca3ca650c0776a9c Mon Sep 17 00:00:00 2001 From: Kai Moritz Date: Sat, 14 Oct 2023 19:20:40 +0200 Subject: [PATCH] SASL-Authorisierung von PLAIN auf SCRAM-SHA-512 umgestellt --- README.sh | 29 +++++++++++- docker/client.properties | 6 +-- docker/docker-compose.yml | 97 ++++++++++++++------------------------- 3 files changed, 65 insertions(+), 67 deletions(-) diff --git a/README.sh b/README.sh index c430024..84a39a8 100755 --- a/README.sh +++ b/README.sh @@ -35,7 +35,34 @@ fi docker-compose -f docker/docker-compose.yml up --remove-orphans setup || exit 1 kafkacat -L -b :9092 -kafkacat -L -b :9092 -Xsecurity.protocol=sasl_plaintext -Xsasl.mechanisms=PLAIN -Xsasl.username=client -Xsasl.password=client-secret +kafkacat -L -b :9092 -Xsecurity.protocol=sasl_plaintext -Xsasl.mechanisms=SCRAM-SHA-512 -Xsasl.username=client -Xsasl.password=client-secret + +docker-compose -f docker/docker-compose.yml exec cli kafka-configs \ + --zookeeper zookeeper:2181 \ + --alter \ + --add-config 'SCRAM-SHA-512=[password=schemaregistry-secret]' \ + --entity-type users \ + --entity-name schemaregistry +docker-compose -f docker/docker-compose.yml exec cli kafka-configs \ + --zookeeper zookeeper:2181 \ + --alter \ + --add-config 'SCRAM-SHA-512=[password=connect-secret]' \ + --entity-type users \ + --entity-name connect +docker-compose -f docker/docker-compose.yml exec cli kafka-configs \ + --zookeeper zookeeper:2181 \ + --alter \ + --add-config 'SCRAM-SHA-512=[password=ui-secret]' \ + --entity-type users \ + --entity-name ui +docker-compose -f docker/docker-compose.yml exec cli kafka-configs \ + --zookeeper zookeeper:2181 \ + --alter \ + --add-config 'SCRAM-SHA-512=[password=client-secret]' \ + --entity-type users \ + --entity-name client + +kafkacat -L -b :9092 -Xsecurity.protocol=sasl_plaintext -Xsasl.mechanisms=SCRAM-SHA-512 -Xsasl.username=client -Xsasl.password=client-secret # Nicht nötig, da `super.users=User:ANONYMOUS` gesetzt wurde # Ohne diesen Eintrag wären diverse ACLs nötig, bevor BROKER funktioniert! diff --git a/docker/client.properties b/docker/client.properties index 8a04387..900c056 100644 --- a/docker/client.properties +++ b/docker/client.properties @@ -1,5 +1,5 @@ -sasl.mechanism=PLAIN -security.protocol=SASL_PLAINTEXT -sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ +sasl.mechanism=SCRAM-SHA-512 +security.protocol=SASL_PLAINTEX +sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \ username="client" \ password="client-secret"; diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index c269dae..7b917e3 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -27,17 +27,10 @@ services: KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 - KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_schemaregistry="schemaregistry-secret" \ - user_connect="connect-secret" \ - user_ui="ui-secret" \ - user_client="client-secret"; - KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_client="client-secret"; + KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_DOCKER_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; + KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_LOCALHOST_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512 volumes: - kafka-1-data:/var/lib/kafka/data @@ -64,17 +57,10 @@ services: KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 - KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_schemaregistry="schemaregistry-secret" \ - user_connect="connect-secret" \ - user_ui="ui-secret" \ - user_client="client-secret"; - KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_client="client-secret"; + KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_DOCKER_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; + KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_LOCALHOST_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512 volumes: - kafka-2-data:/var/lib/kafka/data @@ -106,17 +92,10 @@ services: KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 - KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_schemaregistry="schemaregistry-secret" \ - user_connect="connect-secret" \ - user_ui="ui-secret" \ - user_client="client-secret"; - KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_client="client-secret"; + KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_DOCKER_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; + KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_LOCALHOST_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512 volumes: - kafka-3-data:/var/lib/kafka/data @@ -143,17 +122,10 @@ services: KAFKA_LOG4J_LOGGERS: kafka.authorizer.logger=INFO KAFKA_METRIC_REPORTERS: com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter KAFKA_CRUISE_CONTROL_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9091 - KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_DOCKER_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_schemaregistry="schemaregistry-secret" \ - user_connect="connect-secret" \ - user_ui="ui-secret" \ - user_client="client-secret"; - KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: PLAIN - KAFKA_LISTENER_NAME_LOCALHOST_PLAIN_SASL_JAAS_CONFIG: | - org.apache.kafka.common.security.plain.PlainLoginModule required \ - user_client="client-secret"; + KAFKA_LISTENER_NAME_DOCKER_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_DOCKER_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; + KAFKA_LISTENER_NAME_LOCALHOST_SASL_ENABLED_MECHANISMS: SCRAM-SHA-512 + KAFKA_LISTENER_NAME_LOCALHOST_SCRAM-SHA-512_SASL_JAAS_CONFIG: org.apache.kafka.common.security.scram.ScramLoginModule required; KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512 volumes: - kafka-4-data:/var/lib/kafka/data @@ -179,10 +151,9 @@ services: SCHEMA_REGISTRY_LISTENERS: http://0.0.0.0:8085 SCHEMA_REGISTRY_LOG4J_ROOT_LOGLEVEL: INFO SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL: SASL_PLAINTEXT - SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM: PLAIN + SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM: SCRAM-SHA-512 SCHEMA_REGISTRY_KAFKASTORE_SASL_JAAS_CONFIG: > - org.apache.kafka.common.security.plain.PlainLoginModule - required + org.apache.kafka.common.security.scram.ScramLoginModule required username="schemaregistry" password="schemaregistry-secret"; ports: @@ -216,25 +187,25 @@ services: CONNECT_STATUS_STORAGE_REPLICATION_FACTOR: 1 CONNECT_PLUGIN_PATH: /usr/share/java/ # Configure the Connect workers to use SASL/PLAIN. - CONNECT_SASL_MECHANISM: PLAIN + CONNECT_SASL_MECHANISM: SCRAM-SHA-512 CONNECT_SECURITY_PROTOCOL: SASL_PLAINTEXT # JAAS CONNECT_SASL_JAAS_CONFIG: > - org.apache.kafka.common.security.plain.PlainLoginModule required + org.apache.kafka.common.security.scram.ScramLoginModule required username="connect" password="connect-secret"; # producer - CONNECT_PRODUCER_SASL_MECHANISM: PLAIN + CONNECT_PRODUCER_SASL_MECHANISM: SCRAM-SHA-512 CONNECT_PRODUCER_SECURITY_PROTOCOL: SASL_PLAINTEXT CONNECT_PRODUCER_SASL_JAAS_CONFIG: > - org.apache.kafka.common.security.plain.PlainLoginModule required + org.apache.kafka.common.security.scram.ScramLoginModule required username="connect" password="connect-secret"; # consumer - CONNECT_CONSUMER_SASL_MECHANISM: PLAIN + CONNECT_CONSUMER_SASL_MECHANISM: SCRAM-SHA-512 CONNECT_CONSUMER_SECURITY_PROTOCOL: SASL_PLAINTEXT CONNECT_CONSUMER_SASL_JAAS_CONFIG: > - org.apache.kafka.common.security.plain.PlainLoginModule required + org.apache.kafka.common.security.scram.ScramLoginModule required username="connect" password="connect-secret"; @@ -320,8 +291,8 @@ services: properties: bootstrap.servers: "kafka:9092" security.protocol: SASL_PLAINTEXT - sasl.mechanism: PLAIN - sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="ui" password="ui-secret"; + sasl.mechanism: SCRAM-SHA-512 + sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="ui" password="ui-secret"; schema-registry: url: "http://schema-registry:8085" connect: @@ -342,8 +313,8 @@ services: spring.kafka.producer.properties.linger.ms: 100 spring.kafka.jaas.enabled: "true" spring.kafka.properties.security.protocol: SASL_PLAINTEXT - spring.kafka.properties.sasl.mechanism: PLAIN - spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret"; + spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 + spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="client-secret"; consumer-1: image: juplo/spring-consumer:1.0-SNAPSHOT @@ -352,8 +323,8 @@ services: spring.kafka.client-id: consumer-1 spring.kafka.jaas.enabled: "true" spring.kafka.properties.security.protocol: SASL_PLAINTEXT - spring.kafka.properties.sasl.mechanism: PLAIN - spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret"; + spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 + spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="client-secret"; consumer-2: image: juplo/spring-consumer:1.0-SNAPSHOT @@ -362,8 +333,8 @@ services: spring.kafka.client-id: consumer-2 spring.kafka.jaas.enabled: "true" spring.kafka.properties.security.protocol: SASL_PLAINTEXT - spring.kafka.properties.sasl.mechanism: PLAIN - spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret"; + spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 + spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="client-secret"; consumer-3: image: juplo/spring-consumer:1.0-SNAPSHOT @@ -372,8 +343,8 @@ services: spring.kafka.client-id: consumer-3 spring.kafka.jaas.enabled: "true" spring.kafka.properties.security.protocol: SASL_PLAINTEXT - spring.kafka.properties.sasl.mechanism: PLAIN - spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="client" password="client-secret"; + spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 + spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="client" password="client-secret"; volumes: zookeeper-data: -- 2.20.1