To enable ZooKeeper SASL authentication on brokers, there are two necessary steps:
- Create a JAAS login file and set the appropriate system property to point to it as described above
- Set the configuration property zookeeper.set.acl in each broker to true
The metadata stored in ZooKeeper for the Kafka cluster is world-readable, but can only be modified by the brokers. The rationale behind this decision is that the data stored in ZooKeeper is not sensitive, but inappropriate manipulation of that data can cause cluster disruption. We also recommend limiting the access to ZooKeeper via network segmentation (only brokers and some admin tools need access to ZooKeeper).
ZooKeeper mTLS authentication can be enabled with or without SASL authentication. As mentioned above, when using mTLS alone, every broker and any CLI tools (such as the ZooKeeper Security Migration Tool) must generally identify itself with the same Distinguished Name (DN) because it is the DN that is ACL’ed, which means each certificate should have an appropriate Subject Alternative Name (SAN) so that hostname verification of the brokers and any CLI tool by ZooKeeper will succeed.
It is possible to use something other than the DN for the identity of mTLS clients by writing a class that extends org.apache.zookeeper.server.auth.X509AuthenticationProvider and overrides the method protected String getClientId(X509Certificate clientCert). Choose a scheme name and set authProvider.[scheme] in ZooKeeper to be the fully-qualified class name of the custom implementation; then set ssl.authProvider=[scheme] to use it.Here is a sample (partial) ZooKeeper configuration for enabling TLS authentication. These configurations are described in the ZooKeeper Admin Guide.
secureClientPort=2182 serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory authProvider.x509=org.apache.zookeeper.server.auth.X509AuthenticationProvider ssl.keyStore.location=/path/to/zk/keystore.jks ssl.keyStore.password=zk-ks-passwd ssl.trustStore.location=/path/to/zk/truststore.jks ssl.trustStore.password=zk-ts-passwd
IMPORTANT: ZooKeeper does not support setting the key password in the ZooKeeper server keystore to a value different from the keystore password itself. Be sure to set the key password to be the same as the keystore password.
Here is a sample (partial) Kafka Broker configuration for connecting to ZooKeeper with mTLS authentication. These configurations are described above in Broker Configs.
# connect to the ZooKeeper port configured for TLS zookeeper.connect=zk1:2182,zk2:2182,zk3:2182 # required to use TLS to ZooKeeper (default is false) zookeeper.ssl.client.enable=true # required to use TLS to ZooKeeper zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty # define key/trust stores to use TLS to ZooKeeper; ignored unless zookeeper.ssl.client.enable=true zookeeper.ssl.keystore.location=/path/to/kafka/keystore.jks zookeeper.ssl.keystore.password=kafka-ks-passwd zookeeper.ssl.truststore.location=/path/to/kafka/truststore.jks zookeeper.ssl.truststore.password=kafka-ts-passwd # tell broker to create ACLs on znodes zookeeper.set.acl=true
IMPORTANT: ZooKeeper does not support setting the key password in the ZooKeeper client (i.e. broker) keystore to a value different from the keystore password itself. Be sure to set the key password to be the same as the keystore password.