Kafka 是否可以提供自定义 LoginModule 来支持 LDAP? [英] Can Kafka be provided with custom LoginModule to support LDAP?

问题描述

Kafka 可以配置为使用多种身份验证机制:纯文本用户名/密码、Kerberos 或 SSL.前 2 个使用 SASL，其中需要一个 JAAS 配置文件.

Kafka can be configured to use several authentication mechanisms: plaintext username/password, Kerberos or SSL. The first 2 use SASL, where there is a JAAS config file required.

对于纯文本身份验证方法，配置看起来像(取自 文档):

For the plain text auth method, the config looks like (taken from the documentation):

KafkaServer {
   org.apache.kafka.common.security.plain.PlainLoginModule required
   username="admin"
   password="admin-secret"
   user_admin="admin-secret"
   user_alice="alice-secret";
};

如果可能，我想使用 LDAP 进行身份验证.我的问题是:如果我用一个实现 LoginModule 并将这个类放在代理的类路径中，我可以以我希望的任何方式(即 LDAP)实现身份验证吗?

I want to authenticate if possible using LDAP. My question is this: if I replace the PlainLoginModule with a class that implements LoginModule and place this class in the broker's classpath, can I implement authentication in any manner I wish (i.e. LDAP)?

我无法以合理的方式使用 Kerberos，因为它的主体在我工作的组织内定义的方式，因此我希望使用 LDAP，因为我需要支持 RBAC.

I cannot use Kerberos in a reasonable fashion because of the way its principals are defined within the organisation where I'm working, hence I wish to use LDAP as I need to support RBAC.

推荐答案

是的，您可以为 Kafka 提供一个自定义类，该类实现了 LoginModule 并在其中包含您想要的身份验证逻辑.

Yes you can provide Kafka with a custom class that implements LoginModule and have the authentication logic you want in it.

然后使用您的类名更新 JAAS 文件并确保它在类路径中.

Then update the JAAS file with your class name and make sure it's in the classpath.

您需要添加一些样板代码才能正确设置所有内容，但您可以使用 PlainLoginModule、PlainSaslServerProvider、PlainSaslServerFactory 和 >PlainSaslServer 为例.

You'll need to put some boilerplate code to get everything setup correctly but you can use PlainLoginModule, PlainSaslServerProvider, PlainSaslServerFactory and PlainSaslServer as examples.

您的 LoginModule 类应该与 PlainLoginModule 具有相同的逻辑，但要初始化您的 Provider 实现(在静态块中).

Your LoginModule class should have the same logic as PlainLoginModule but instead initialize your Provider implementation (in the static block).

您的 Provider 类应该与 PlainSaslServerProvider 具有相同的逻辑，但要引用您的 SaslServerFactory 实现.

Your Provider class should have the same logic as PlainSaslServerProvider but instead reference your SaslServerFactory implementation.

您的 SaslFactory 类应该再次具有与 PlainSaslServerFactory 相同的逻辑，但创建您的 SaslServer 实现的实例.

Your SaslFactory class should again have the same logic as PlainSaslServerFactory but create an instance of your SaslServer implementation.

最后，您的 SaslServer 类应该在其 evaluateResponse() 方法中实现必要的 LDAP 逻辑.只要确保设置正确设置 this.authorizationId 因为这将成为用户主体并将 complete 设置为 true(如 PlainSaslServer.evaluateResponse() 确实)

Finally your SaslServer class should implement the necessary LDAP logic in its evaluateResponse() method. Just be sure to set correctly set this.authorizationId as this will become the user principal and set complete to true (like PlainSaslServer.evaluateResponse() does)

这篇关于Kafka 是否可以提供自定义 LoginModule 来支持 LDAP?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！