Merge pull request #42 from ansible-middleware/feat-zk-authentication

Enable Zookeeper authentication

roles/amq_streams_broker/README.md

@@ -63,14 +63,18 @@ broker4
 |`amq_streams_broker_instance_count_enabled` |  | `true` |
 |`amq_streams_broker_instance_count` |  | `0` |
 |`amq_streams_deployment_balance_check_enabled` |  | `true` |
+|`amq_streams_zookeeper_auth_enabled` | Enable Zookeeper authentication. Zookeeper must be deployed with the authentication enabled. | `false` |
+|`amq_streams_broker_zookeeper_auth_config` | JAAS file for brokers | `/etc/broker-jaas.conf` |
+|`amq_streams_broker_zookeeper_auth_config_template` | JAAS template for brokers | `templates/broker-jaas.conf.j2` |
 
 ## Role Variables
 
 The following are a set of required variables for the role:
 
 | Variable | Description | Required |
 |:---------|:------------|:---------|
-
+|`amq_streams_zookeeper_auth_user` | Zookeeper user to authenticate. Mandatory if `amq_streams_zookeeper_auth_enabled: true` | '' |
+|`amq_streams_zookeeper_auth_pass` | Zookeeper user password to authenticate. Mandatory if `amq_streams_zookeeper_auth_enabled: true`| '' |
 
 ## License
 

roles/amq_streams_broker/defaults/main.yml

@@ -43,3 +43,8 @@ amq_streams_deployment_balance_check_enabled: true
 amq_streams_broker_zookeeper_host_default_value: localhost
 amq_streams_broker_zookeeper_port_default_value: 2181
 amq_streams_broker_zookeeper_wait: True
+
+# Broker-Zookeeper Authentication with SASL
+amq_streams_zookeeper_auth_enabled: 'false'
+amq_streams_broker_zookeeper_auth_config: /etc/broker-jaas.conf
+amq_streams_broker_zookeeper_auth_config_template: templates/broker-jaas.conf.j2

roles/amq_streams_broker/tasks/main.yml

@@ -27,6 +27,22 @@
   when:
     - not server_id is defined
 
+- name: "Configure Broker-Zookeeper authentication"
+  ansible.builtin.template:
+    src: "{{ amq_streams_broker_zookeeper_auth_config_template }}"
+    dest: "{{ amq_streams_broker_zookeeper_auth_config }}"
+    owner: "{{ amq_streams_broker_user | default(omit) }}"
+    group: "{{ amq_streams_broker_group | default(omit) }}"
+    mode: 0644  
+  when:
+    - amq_streams_zookeeper_auth_enabled is defined and amq_streams_zookeeper_auth_enabled
+
+- name: "Enable Broker-Zookeeper authentication environment variable"
+  ansible.builtin.set_fact:
+    amq_streams_broker_java_opts: "-Djava.security.auth.login.config={{ amq_streams_broker_zookeeper_auth_config }}"
+  when:
+    - amq_streams_zookeeper_auth_enabled is defined and amq_streams_zookeeper_auth_enabled
+
 - name: "Wait for Zookeeper to be available - if host and port are provided."
   ansible.builtin.wait_for:
     host: "{{ amq_streams_broker_zookeeper_host }}"

roles/amq_streams_broker/templates/broker-jaas.conf.j2

@@ -0,0 +1,9 @@
+// {{ ansible_managed }}
+
+// Broker-Zookeeper Authentication
+
+Client {
+    org.apache.kafka.common.security.plain.PlainLoginModule required
+    username="{{ amq_streams_zookeeper_auth_user }}"
+    password="{{ amq_streams_zookeeper_auth_pass }}";
+};

roles/amq_streams_zookeeper/README.md

@@ -42,13 +42,18 @@ zknode3
 |`amq_streams_zookeeper_sync_limit` |  | `2` |
 |`amq_streams_zookeeper_cluster_port_start` |  | `2888` |
 |`amq_streams_zookeeper_cluster_port_end` |  | `3888` |
+|`amq_streams_zookeeper_auth_enabled` | Enable Zookeeper authentication | `false` |
+|`amq_streams_zookeeper_auth_config` | JAAS file to set up Zookeeper authentication | `/etc/zookeeper-jaas.conf` |
+|`amq_streams_zookeeper_auth_config_template` | JAAS template for Zookeeper authentication | `templates/zookeeper-jaas.conf.j2` |
 
 ## Role Variables
 
 The following are a set of required variables for the role:
 
 | Variable | Description | Required |
 |:---------|:------------|:---------|
+|`amq_streams_zookeeper_auth_user` | Zookeeper user to authenticate. Mandatory if `amq_streams_zookeeper_auth_enabled: true` | '' |
+|`amq_streams_zookeeper_auth_pass` | Zookeeper user password to authenticate. Mandatory if `amq_streams_zookeeper_auth_enabled: true`| '' |
 
 ## License
 

roles/amq_streams_zookeeper/defaults/main.yml

@@ -27,3 +27,10 @@ amq_streams_zookeeper_cluster_port_end: 3888
 amq_streams_firewalld_package_name:
   - firewalld
 amq_streams_firewalld_enabled: false
+
+# Zookeeper Authentication with SASL
+amq_streams_zookeeper_auth_enabled: 'false'
+amq_streams_zookeeper_auth_config: /etc/zookeeper-jaas.conf
+amq_streams_zookeeper_auth_config_template: templates/zookeeper-jaas.conf.j2
+amq_streams_zookeeper_auth_user: zookeeper
+amq_streams_zookeeper_auth_pass: PLEASE_CHANGE_ME_I_AM_NO_GOOD_FOR_PRODUCTION

roles/amq_streams_zookeeper/tasks/main.yml

@@ -19,6 +19,22 @@
     owner: "{{ amq_streams_zookeeper_user | default(omit) }}"
     group: "{{ amq_streams_zookeeper_group | default(omit) }}"
 
+- name: "Configure Zookeeper authentication"
+  ansible.builtin.template:
+    src: "{{ amq_streams_zookeeper_auth_config_template }}"
+    dest: "{{ amq_streams_zookeeper_auth_config }}"
+    owner: "{{ amq_streams_zookeeper_user | default(omit) }}"
+    group: "{{ amq_streams_zookeeper_group | default(omit) }}"
+    mode: 0644  
+  when:
+    - amq_streams_zookeeper_auth_enabled is defined and amq_streams_zookeeper_auth_enabled
+
+- name: "Enable Zookeeper authentication environment variable"
+  ansible.builtin.set_fact:
+    amq_streams_zookeeper_java_opts: "-Djava.security.auth.login.config={{ amq_streams_zookeeper_auth_config }}"
+  when:
+    - amq_streams_zookeeper_auth_enabled is defined and amq_streams_zookeeper_auth_enabled
+
 - name: "Configure firewalld for Zookeeper (if enable)."
   ansible.builtin.include_role:
     name: amq_streams_common
@@ -44,6 +60,7 @@
     service_systemd_env_file_template: "{{ amq_streams_zookeeper_service_config_template }}"
     service_systemd_env_file: "{{ amq_streams_zookeeper_service_env_file }}"
     server_java_heap_opts: "-Xmx256M -Xms256M"
+    server_java_opts: "{{ amq_streams_zookeeper_java_opts | default('') }}"
 
 - name: "Add zookeeper {{ ansible_nodename | default('[no hostname provided]') }} to instances count."
   ansible.builtin.set_fact:

roles/amq_streams_zookeeper/templates/zookeeper-jaas.conf.j2

@@ -0,0 +1,32 @@
+// {{ ansible_managed }}
+
+// Zookeeper Server-to-Server Authentication
+// Zookeeper Intercluster - Server
+
+QuorumServer {
+       org.apache.zookeeper.server.auth.DigestLoginModule required
+       user_{{ amq_streams_zookeeper_auth_user }}="{{ amq_streams_zookeeper_auth_pass }}";
+};
+
+// Zookeeper Intercluster - Client
+
+QuorumLearner {
+       org.apache.zookeeper.server.auth.DigestLoginModule required
+       username="{{ amq_streams_zookeeper_auth_user }}"
+       password="{{ amq_streams_zookeeper_auth_pass }}";
+};
+
+// Zookeeper - Local clients
+
+Client {
+       org.apache.zookeeper.server.auth.DigestLoginModule required
+       username="{{ amq_streams_zookeeper_auth_user }}"
+       password="{{ amq_streams_zookeeper_auth_pass }}";
+};
+
+// Client-to-Server Authentication
+
+Server {
+    org.apache.zookeeper.server.auth.DigestLoginModule required
+    user_{{ amq_streams_zookeeper_auth_user }}="{{ amq_streams_zookeeper_auth_pass }}";
+};

roles/amq_streams_zookeeper/templates/zookeeper.properties.j2

@@ -47,3 +47,19 @@ syncLimit={{ amq_streams_zookeeper_sync_limit }}
 server.{{ loop.index }}={{ zknode }}:{{ amq_streams_zookeeper_cluster_port_start }}:{{ amq_streams_zookeeper_cluster_port_end }}:participant;{{ zknode }}:{{ amq_streams_zookeeper_port }}
 {% endfor %}
 
+{% if amq_streams_zookeeper_auth_enabled %}
+# Zookeeper Authentication
+# Server-to-Server Authentication
+quorum.auth.enableSasl=true
+quorum.auth.learnerRequireSasl=true
+quorum.auth.serverRequireSasl=true
+quorum.auth.learner.loginContext=QuorumLearner
+quorum.auth.server.loginContext=QuorumServer
+quorum.cnxn.threads.size=20
+
+# Client-to-Server Authentication
+requireClientAuthScheme=sasl
+{% for zknode in groups['zookeepers'] %}
+authProvider.{{ loop.index }}=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+{% endfor %}
+{% endif %}