Skip to content

Latest commit

 

History

History
97 lines (77 loc) · 3.49 KB

README.md

File metadata and controls

97 lines (77 loc) · 3.49 KB
Raw

Kafka Users

Kafka Users

Kafka users could be defined with KafkaUser definition. The user could includes the authorization policies (ACLs) of the different resources in the Kafka cluster.

The following users could be defined:

  • admin-user-scram: Super-user (using scram-sha-512 authentication) to administrate the Kafka cluster. Definition here.
  • admin-user-tls: Super-user (using TLS authentication) to administrate the Kafka cluster. Definition here.
  • sample-user-tls: User (using TLS authentication) to produce and consume records from apps.samples.greetings topic. Definition here.
  • sample-streams-user-tls: User to produce and consume records to and from app.samples.greetings.* topics. Definition here.

To create the users:

oc apply -f ./users/

This command will show the status of the Kafka Users:

❯ oc get kafkausers
NAME                      CLUSTER     AUTHENTICATION   AUTHORIZATION   READY
admin-user-scram          event-bus   scram-sha-512                    True
admin-user-tls            event-bus   tls                              True
sample-streams-user-tls   event-bus   tls              simple          True
sample-user-tls           event-bus   tls              simple          True

To describe a Kafka User:

oc get kafkauser admin-user-scram -o yaml

Each user will have its own secret with the credentials defined it:

❯ oc get secret admin-user-scram -o yaml
apiVersion: v1
data:
  password: ZHYwV1V5eUx6Y09x
kind: Secret
metadata:
  labels:
    app.kubernetes.io/instance: sample-user-scram
    app.kubernetes.io/managed-by: strimzi-user-operator
    app.kubernetes.io/name: strimzi-user-operator
    app.kubernetes.io/part-of: strimzi-sample-user-scram
    strimzi.io/cluster: event-bus
    strimzi.io/kind: KafkaUser
  name: sample-user-scram
  namespace: strimzi-migration
type: Opaque

To decrypt the password:

❯ oc get secret admin-user-scram -o jsonpath='{.data.password}' | base64 -d
N7FSt6poV2GF

These users could be tested with the following sample:

  • Sample consumer authenticated with the sample-user-scram user:
oc run kafka-consumer -ti --image=quay.io/strimzi/kafka:latest-kafka-2.8.1 --rm=true --restart=Never -- /bin/bash -c "cat >/tmp/consumer.properties <<EOF 
security.protocol=SASL_PLAINTEXT
sasl.mechanism=SCRAM-SHA-512
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username=admin-user-scram password=N7FSt6poV2GF;
EOF
bin/kafka-console-consumer.sh --bootstrap-server event-bus-kafka-bootstrap:9092 --topic apps.samples.greetings --consumer.config=/tmp/consumer.properties --group sample-group
"
  • Sample producer authenticated with the admin-user-scram user:
oc run kafka-producer -ti --image=quay.io/strimzi/kafka:latest-kafka-2.8.1 --rm=true --restart=Never -- /bin/bash -c "cat >/tmp/producer.properties <<EOF 
security.protocol=SASL_PLAINTEXT
sasl.mechanism=SCRAM-SHA-512
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username=admin-user-scram password=N7FSt6poV2GF;
EOF
bin/kafka-console-producer.sh --broker-list event-bus-kafka-bootstrap:9092 --topic apps.samples.greetings --producer.config=/tmp/producer.properties
"

References: