可以为Kafka提供自定义的LoginModule以支持LDAP吗? [英] Can Kafka be provided with custom LoginModule to support LDAP?
问题描述
可以将Kafka配置为使用多种身份验证机制:纯文本用户名/密码,Kerberos或SSL.前两个使用SASL,其中需要一个JAAS配置文件.
Kafka can be configured to use several authentication mechanisms: plaintext username/password, Kerberos or SSL. The first 2 use SASL, where there is a JAAS config file required.
对于纯文本auth方法,配置看起来像(取自文档):
For the plain text auth method, the config looks like (taken from the documentation):
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_alice="alice-secret";
};
如果可能的话,我想使用LDAP进行身份验证.我的问题是:如果我将PlainLoginModule
替换为实现
I want to authenticate if possible using LDAP. My question is this: if I replace the PlainLoginModule
with a class that implements LoginModule and place this class in the broker's classpath, can I implement authentication in any manner I wish (i.e. LDAP)?
由于无法在我工作的组织内定义其主体的方式,因此我无法以合理的方式使用Kerberos,因此我希望使用LDAP,因为我需要支持RBAC.
I cannot use Kerberos in a reasonable fashion because of the way its principals are defined within the organisation where I'm working, hence I wish to use LDAP as I need to support RBAC.
推荐答案
是的,您可以为Kafka提供一个实现LoginModule
的自定义类,并在其中包含所需的身份验证逻辑.
Yes you can provide Kafka with a custom class that implements LoginModule
and have the authentication logic you want in it.
然后用您的类名更新JAAS文件,并确保它在类路径中.
Then update the JAAS file with your class name and make sure it's in the classpath.
您需要放置一些样板代码以正确设置所有内容,但您可以使用PlainLoginModule
,PlainSaslServerProvider
,PlainSaslServerFactory
和PlainSaslServer
作为示例.
You'll need to put some boilerplate code to get everything setup correctly but you can use PlainLoginModule
, PlainSaslServerProvider
, PlainSaslServerFactory
and PlainSaslServer
as examples.
您的LoginModule
类应具有与PlainLoginModule
相同的逻辑,但应初始化您的Provider
实现(在静态块中).
Your LoginModule
class should have the same logic as PlainLoginModule
but instead initialize your Provider
implementation (in the static block).
您的Provider
类应具有与PlainSaslServerProvider
相同的逻辑,但应引用您的SaslServerFactory
实现.
Your Provider
class should have the same logic as PlainSaslServerProvider
but instead reference your SaslServerFactory
implementation.
您的SaslFactory
类应该再次具有与PlainSaslServerFactory
相同的逻辑,但是创建您的SaslServer
实现的实例.
Your SaslFactory
class should again have the same logic as PlainSaslServerFactory
but create an instance of your SaslServer
implementation.
最后,您的SaslServer
类应在其evaluateResponse()
方法中实现必要的LDAP逻辑.只需确保正确设置this.authorizationId
即可,因为这将成为用户主体,并将complete
设置为true
(就像PlainSaslServer.evaluateResponse()
一样)
Finally your SaslServer
class should implement the necessary LDAP logic in its evaluateResponse()
method. Just be sure to set correctly set this.authorizationId
as this will become the user principal and set complete
to true
(like PlainSaslServer.evaluateResponse()
does)
这篇关于可以为Kafka提供自定义的LoginModule以支持LDAP吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!