Kerberos SASL
Kerberos — network authentication protocol that provides a mechanism for mutual authentication of a client and server before establishing a connection between them.
SASL — authentication and data security framework used in Internet protocols.
Basic concepts used in Kerberos:
-
Principal — unique name for a client that is allowed to authenticate with Kerberos.
-
Ticket — temporary data issued to the client for authentication on the server where the required service is located.
-
Realm — network used by Kerberos, consisting of KDC servers and multiple clients.
-
Key Distribution Center (KDC) — service that issues Kerberos tickets.
Configuring Key Distribution Center
|
NOTE
|
To install the Key Distribution Center, run the following command on the selected host:
$ sudo yum install -y krb5-serverThe result is a message:
Complete!
Setting up configuration files
|
NOTE
|
-
The configuration file kdc.conf needs to be configured. It displays the name of the realm in which authentication is performed and the path to the configuration files.
Enter the command to open the file:
$ sudo vim /var/kerberos/krb5kdc/kdc.confEdit the opened file as follows:
[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 default_realm = ADS-KAFKA.LOCAL [realms] ADS-KAFKA.LOCAL = { acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }This file contains the sections described below:
[kdcdefaults]
The section specifies the default values for the tags to be used if the[realms]section does not contain a value for that tag.Tag Description kdc_ports
UDP port for connecting to KDC
kdc_tcp_ports
TCP port for connecting to KDC
default_realm
Area designated by the user for authentication
[realms]
Every subsection in the section is the name of a Kerberos realm. The meaning of the subsection tags determines the KDC settings for that particular realm.Tag Description acl_file
The location of the ACL file that kadmind uses to determine which principals are granted which permissions in the Kerberos database
admin_keytab
Location of the keytab file that the kadmind4 and v5passwdd administrative services use to authenticate against the database
dict_file
The location of a dictionary file containing strings that cannot be used as passwords. The file must contain one line per line without any extra spaces. If nothing is specified, or if no policy is assigned to the principal, no dictionary password checks will be performed
supported_enctypes
Specifies the default key/salt encryption type combinations for principals for this realm. All members created with kadmin will have keys of these types
NOTEA complete description of the tag values for this file can be found at kdc.conf. -
Next, you need to edit the kadm5.acl file to provide administrative access to the Kerberos domain.
Enter the command to open the file:
$ sudo vim /var/kerberos/krb5kdc/kadm5.aclEdit the opened file as follows:
*/admin@ADS-KAFKA.LOCAL *
The example above is configured so that any
/adminprincipal in theADS-KAFKA.LOCALrealm has all administrative privileges except key extraction.NOTEFor a complete description of the tag values for sections of this file, see kadm5_acl. -
Next, you need to edit the Kerberos domain configuration file krb5.conf.
Enter the command to open the file:
$ sudo vim /etc/krb5.confEdit the opened file as follows:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = ADS-KAFKA.LOCAL kdc_timesync = 1 ticket_lifetime = 24h [realms] ADS-KAFKA.LOCAL = { admin_server = sov-ads-test-0.ru-central1.internal kdc = sov-ads-test-0.ru-central1.internal }This file contains the sections described below:
[logging]
The section specifies how the logs are kept.Tag Description default
Path to the file where the log is located, unless otherwise specified
kdc
Path to the file where the KDC log is located
admin_server
Path to the file where the log for the administrative server is located
[libdefaults]
This section describes the parameters used by the Kerberos V5 library.Tag Tag description default_realm
Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then when calling programs such as kinit, you must specify a realm for each Kerberos principal
kdc_timesync
Valid values for this ratio are
1or0. If it is non-zero, client machines will calculate the difference between their own time and the time returned by the KDC in ticket timestamps, and use this value to correct inaccurate system clocks when requestedticket_lifetime
Sets the default time to live for initial ticket requests
[realms]
Every subsection in the section is the name of a Kerberos realm. The meaning of subsection tags determines the settings for that particular area.Tag Tag description ADS-KAFKA.LOCAL
Area designated by the user for authentication
admin_server
Identifies the host on which the administration server is running. Typically, this is the main Kerberos server. This tag must be set to a value to communicate with the kadmind server for this realm
kdc
The name or address of the host running the KDC for this realm. An optional port number can be included, separated from the hostname by a colon
NOTEFor a complete description of the tag values for the areas of this file, see krb5_conf. -
Create a database of Kerberos principals for realm domain
ADS-KAFKA.LOCALusing the kdb5_util utility.Enter command:
$ sudo /usr/sbin/kdb5_util create -s -r ADS-KAFKA.LOCAL -P P@ssw0rdAs a result, a message is displayed about the created database for the
ADS-KAFKA.LOCALarea:Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'ADS-KAFKA.LOCAL', master key name 'K/M@ADS-KAFKA.LOCAL'
NOTEA complete description of the functions of the kdb5_util utility and applicable options is available at kdb5_util. -
Create user
adminusing command line interface kadmin.local.Enter command:
$ sudo kadmin.local -q "add_principal -pw P@ssw0rd admin/admin"As a result, a message is displayed:
Principal "admin/admin@ADS-KAFKA.LOCAL" created.
NOTEFor a complete description of the kadmin_local command line interface functions and applicable options, see kadmin_local. -
Restart Kerberos and KDC services.
Enter the commands one by one:
$ sudo systemctl restart krb5kdc $ sudo systemctl restart kadminCheck the status of running services by running the commands:
$ sudo systemctl status krb5kdc $ sudo systemctl status kadmin
Start MIT Kerberos KDC on ADS cluster in ADCM interface
-
Initiate Kerberos enable for the selected cluster. To do this, select Enable Kerberos in Actions of the cluster.
Enabling Kerberos on the ADS cluster -
Enable Existing MIT KDC. To do this, you need to enable the eponymous switch in the window that opens.
Enabling Existing MIT KDC -
Set the configuration parameters of the ADS cluster for MIT Kerberos KDC in accordance with the previously entered values and click Run.
Configuring ADS cluster for MIT Kerberos KDC -
Wait for the Kerberos setup to complete. Analyze and correct errors if they occur.
Kerberos installation process
Checking installed Kerberos SASL
-
Check the settings set for Kerberos in the cluster configurations.
Go to the cluster configuration, select Advanced, find the section with Kerberos configurations, expand it.
Installed ADS cluster configuration settings for Kerberos -
Check the security and authentication configuration of the Kafka brokers.
On each host with a Kafka broker, issue the command:
$ sudo vim /usr/lib/kafka/config/server.propertiesEnsure that in the server.properties file for each Kafka broker, the lines defining the security protocol are changed to
SASL_PLAINTEXT; lines defining the authentication mechanism - toGSSAPI.security.inter.broker.protocol=SASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=GSSAPI sasl.enabled.mechanisms=GSSAPI
-
Verify that after installing Kerberos SASL, the listeners parameter in the Kafka service settings has changed from
PLAINTEXT://:9092toSASL_PLAINTEXT://:9092.
Kafka service settings -
Check for the created principals for each service.
On the host with the KDC server installed, enter the command:
$ sudo kadmin.local list_principalsThe output of the list of principals shows that there are principals for each host of each installed service, principals for admins and other technical principals for the created realm:
K/M@ADS-KAFKA.LOCAL admin/admin@ADS-KAFKA.LOCAL kadmin/admin@ADS-KAFKA.LOCAL kadmin/changepw@ADS-KAFKA.LOCAL kadmin/sov-ads-test-0.ru-central1.internal@ADS-KAFKA.LOCAL kafka-manager/sov-ads1-test.ru-central1.internal@ADS-KAFKA.LOCAL kafka/sov-ads1-test.ru-central1.internal@ADS-KAFKA.LOCAL kafka/sov-ads2-test.ru-central1.internal@ADS-KAFKA.LOCAL kafka/sov-ads3-test.ru-central1.internal@ADS-KAFKA.LOCAL kiprop/sov-ads-test-0.ru-central1.internal@ADS-KAFKA.LOCAL krbtgt/ADS-KAFKA.LOCAL@ADS-KAFKA.LOCAL zookeeper/sov-ads1-test.ru-central1.internal@ADS-KAFKA.LOCAL zookeeper/sov-ads2-test.ru-central1.internal@ADS-KAFKA.LOCAL zookeeper/sov-ads3-test.ru-central1.internal@ADS-KAFKA.LOCA
-
Check for the presence on hosts with installed services of files for storing passwords *.service.keytab.
On each host with installed services, issue the command:
$ ls -la /etc/security/keytabs/The file listing shows that *.service.keytab files have been created for each service installed on the host:
total 16 drwxr-xr-x. 2 root root 102 Aug 9 20:55 . drwxr-xr-x. 7 root root 4096 Aug 9 19:38 .. -rw-------. 1 dockerroot dockerroot 890 Aug 9 20:55 kafka-manager.service.keytab -rw-------. 1 kafka kafka 826 Aug 9 20:54 kafka.service.keytab -rw-------. 1 zookeeper zookeeper 858 Aug 9 20:55 zookeeper.service.keytab