可以为Kafka提供自定义的LoginModule以支持LDAP吗? [英] Can Kafka be provided with custom LoginModule to support LDAP?

问题描述

可以将Kafka配置为使用多种身份验证机制:纯文本用户名/密码，Kerberos或SSL.前两个使用SASL，其中需要一个JAAS配置文件.

Kafka can be configured to use several authentication mechanisms: plaintext username/password, Kerberos or SSL. The first 2 use SASL, where there is a JAAS config file required.

对于纯文本auth方法，配置看起来像(取自文档):

For the plain text auth method, the config looks like (taken from the documentation):

KafkaServer {
   org.apache.kafka.common.security.plain.PlainLoginModule required
   username="admin"
   password="admin-secret"
   user_admin="admin-secret"
   user_alice="alice-secret";
};

如果可能的话，我想使用LDAP进行身份验证.我的问题是:如果我将PlainLoginModule替换为实现

I want to authenticate if possible using LDAP. My question is this: if I replace the PlainLoginModule with a class that implements LoginModule and place this class in the broker's classpath, can I implement authentication in any manner I wish (i.e. LDAP)?

由于无法在我工作的组织内定义其主体的方式，因此我无法以合理的方式使用Kerberos，因此我希望使用LDAP，因为我需要支持RBAC.

I cannot use Kerberos in a reasonable fashion because of the way its principals are defined within the organisation where I'm working, hence I wish to use LDAP as I need to support RBAC.

推荐答案

是的，您可以为Kafka提供一个实现LoginModule的自定义类，并在其中包含所需的身份验证逻辑.

Yes you can provide Kafka with a custom class that implements LoginModule and have the authentication logic you want in it.

然后用您的类名更新JAAS文件，并确保它在类路径中.

Then update the JAAS file with your class name and make sure it's in the classpath.

您需要放置一些样板代码以正确设置所有内容，但您可以使用PlainLoginModule，PlainSaslServerProvider，PlainSaslServerFactory和PlainSaslServer作为示​​例.

You'll need to put some boilerplate code to get everything setup correctly but you can use PlainLoginModule, PlainSaslServerProvider, PlainSaslServerFactory and PlainSaslServer as examples.

您的LoginModule类应具有与PlainLoginModule相同的逻辑，但应初始化您的Provider实现(在静态块中).

Your LoginModule class should have the same logic as PlainLoginModule but instead initialize your Provider implementation (in the static block).

您的Provider类应具有与PlainSaslServerProvider相同的逻辑，但应引用您的SaslServerFactory实现.

Your Provider class should have the same logic as PlainSaslServerProvider but instead reference your SaslServerFactory implementation.

您的SaslFactory类应该再次具有与PlainSaslServerFactory相同的逻辑，但是创建您的SaslServer实现的实例.

Your SaslFactory class should again have the same logic as PlainSaslServerFactory but create an instance of your SaslServer implementation.

最后，您的SaslServer类应在其evaluateResponse()方法中实现必要的LDAP逻辑.只需确保正确设置this.authorizationId即可，因为这将成为用户主体，并将complete设置为true(就像PlainSaslServer.evaluateResponse()一样)

Finally your SaslServer class should implement the necessary LDAP logic in its evaluateResponse() method. Just be sure to set correctly set this.authorizationId as this will become the user principal and set complete to true (like PlainSaslServer.evaluateResponse() does)

这篇关于可以为Kafka提供自定义的LoginModule以支持LDAP吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！