From 7c7a9a010d3c5e4fee1de3d2393a6d52f45ee8e7 Mon Sep 17 00:00:00 2001 From: Claire Finnie Date: Fri, 6 Dec 2024 12:12:26 +1300 Subject: [PATCH] [INF-6313] Adding SASL/SCRAM Auth config **Problem** We want to use authenticated connections to our Kafka cluster. **Solution** Configure SASL/SCRAM authentication config for Secor. We will use plaintext i.e. no SSL/TLS for now. I have added the truststore location so we can change to SSL if we need to. ssl.protocol & security.protocol configs would change to `SSL` & `SASL_SSL`. --- src/main/config/secor.common.properties | 12 ++++++------ src/main/scripts/docker-entrypoint.sh | 5 +++++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/main/config/secor.common.properties b/src/main/config/secor.common.properties index ea8eeb30b..bf07b84e2 100644 --- a/src/main/config/secor.common.properties +++ b/src/main/config/secor.common.properties @@ -180,24 +180,24 @@ kafka.new.consumer.topic.list= kafka.new.consumer.poll.timeout.seconds=10 kafka.new.consumer.request.timeout.ms= +kafka.new.consumer.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="KUSERNAME" password="KPASSWORD"; +kafka.new.consumer.ssl.truststore.location=/usr/local/openjdk-8/jre/lib/security/cacerts +kafka.new.consumer.ssl.truststore.password=changeit +kafka.new.consumer.ssl.protocol=PLAINTEXT +kafka.new.consumer.sasl.mechanism=SCRAM-SHA-512 +kafka.new.consumer.security.protocol=SASL_PLAINTEXT kafka.new.consumer.ssl.key.password= kafka.new.consumer.ssl.keystore.location= kafka.new.consumer.ssl.keystore.password= -kafka.new.consumer.ssl.truststore.location= -kafka.new.consumer.ssl.truststore.password= kafka.new.consumer.isolation.level= kafka.new.consumer.max.poll.interval.ms= kafka.new.consumer.max.poll.records= kafka.new.consumer.sasl.client.callback.handler.class= -kafka.new.consumer.sasl.jaas.config= kafka.new.consumer.sasl.kerberos.service.name= kafka.new.consumer.sasl.login.callback.handler.class= kafka.new.consumer.sasl.login.class= -kafka.new.consumer.sasl.mechanism= -kafka.new.consumer.security.protocol= kafka.new.consumer.ssl.enabled.protocols= kafka.new.consumer.ssl.keystore.type= -kafka.new.consumer.ssl.protocol= kafka.new.consumer.ssl.provider= kafka.new.consumer.ssl.truststore.type= kafka.new.consumer.partition.assignment.strategy.class= diff --git a/src/main/scripts/docker-entrypoint.sh b/src/main/scripts/docker-entrypoint.sh index aeab5aa9e..b0542279e 100644 --- a/src/main/scripts/docker-entrypoint.sh +++ b/src/main/scripts/docker-entrypoint.sh @@ -121,6 +121,11 @@ if [ ! -z "$SECOR_MESSAGE_PARSER" ]; then SECOR_CONFIG="$SECOR_CONFIG -Dsecor.message.parser.class=$SECOR_MESSAGE_PARSER" echo "secor.message.parser.class=$SECOR_MESSAGE_PARSER" fi + +if [ ! -z "$KAFKA_AUTH_ENABLED" ]; then + sed -i -r "s/KUSERNAME/${KAFKA_AUTH_SASL_USERNAME}/g" /opt/secor/secor.common.properties + sed -i -r "s/KPASSWORD/${KAFKA_AUTH_SASL_PASSWORD}/g" /opt/secor/secor.common.properties +fi SECOR_CONFIG="$SECOR_CONFIG $SECOR_EXTRA_OPTS"