Kerberos SASL

Kerberos — network authentication protocol that provides a mechanism for mutual authentication of a client and server before establishing a connection between them.

SASL — authentication and data security framework used in Internet protocols.

Basic concepts used in Kerberos:

  • Principal — unique name for a client that is allowed to authenticate with Kerberos.

  • Ticket — temporary data issued to the client for authentication on the server where the required service is located.

  • Realm — network used by Kerberos, consisting of KDC servers and multiple clients.

  • Key Distribution Center (KDC) — service that issues Kerberos tickets.

Configuring Key Distribution Center

NOTE
  • Key Distribution Center can be installed on any host that has access to a host with ADCM installed (FQDN connectivity).

  • Key Distribution Center can also be installed on the same host as ADCM.

To install the Key Distribution Center, run the following command on the selected host:

$ sudo yum install -y krb5-server

The result is a message:

Complete!

Setting up configuration files

NOTE
  • Examples of commands for working with configuration files are given using the vim text editor, which must be preinstalled on this host.

  • It is possible to use other text editors.

  1. The configuration file kdc.conf needs to be configured. It displays the name of the realm in which authentication is performed and the path to the configuration files.

    Enter the command to open the file:

    $ sudo vim /var/kerberos/krb5kdc/kdc.conf

    Edit the opened file as follows:

    [kdcdefaults]
     kdc_ports = 88
     kdc_tcp_ports = 88
     default_realm = ADS-KAFKA.LOCAL
    
    [realms]
     ADS-KAFKA.LOCAL = {
     acl_file = /var/kerberos/krb5kdc/kadm5.acl
     dict_file = /usr/share/dict/words
     admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
     supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
     }

    This file contains the sections described below:

    [kdcdefaults]

     
    The section specifies the default values ​​for the tags to be used if the [realms] section does not contain a value for that tag.

    Tag Description

    kdc_ports

    UDP port for connecting to KDC

    kdc_tcp_ports

    TCP port for connecting to KDC

    default_realm

    Area designated by the user for authentication

    [realms]

     
    Every subsection in the section is the name of a Kerberos realm. The meaning of the subsection tags determines the KDC settings for that particular realm.

    Tag Description

    acl_file

    The location of the ACL file that kadmind uses to determine which principals are granted which permissions in the Kerberos database

    admin_keytab

    Location of the keytab file that the kadmind4 and v5passwdd administrative services use to authenticate against the database

    dict_file

    The location of a dictionary file containing strings that cannot be used as passwords. The file must contain one line per line without any extra spaces. If nothing is specified, or if no policy is assigned to the principal, no dictionary password checks will be performed

    supported_enctypes

    Specifies the default key/salt encryption type combinations for principals for this realm. All members created with kadmin will have keys of these types

    NOTE
    A complete description of the tag values ​​for this file can be found at kdc.conf.
  2. Next, you need to edit the kadm5.acl file to provide administrative access to the Kerberos domain.

    Enter the command to open the file:

    $ sudo vim /var/kerberos/krb5kdc/kadm5.acl

    Edit the opened file as follows:

    */admin@ADS-KAFKA.LOCAL *

    The example above is configured so that any /admin principal in the ADS-KAFKA.LOCAL realm has all administrative privileges except key extraction.

    NOTE
    For a complete description of the tag values ​​for sections of this file, see kadm5_acl.
  3. Next, you need to edit the Kerberos domain configuration file krb5.conf.

    Enter the command to open the file:

    $ sudo vim /etc/krb5.conf

    Edit the opened file as follows:

    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = ADS-KAFKA.LOCAL
     kdc_timesync = 1
     ticket_lifetime = 24h
    
    [realms]
     ADS-KAFKA.LOCAL = {
     admin_server = sov-ads-test-0.ru-central1.internal
     kdc = sov-ads-test-0.ru-central1.internal
     }

    This file contains the sections described below:

    [logging]

     
    The section specifies how the logs are kept.

    Tag Description

    default

    Path to the file where the log is located, unless otherwise specified

    kdc

    Path to the file where the KDC log is located

    admin_server

    Path to the file where the log for the administrative server is located

    [libdefaults]

     
    This section describes the parameters used by the Kerberos V5 library.

    Tag Tag description

    default_realm

    Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then when calling programs such as kinit, you must specify a realm for each Kerberos principal

    kdc_timesync

    Valid values ​​for this ratio are 1 or 0. If it is non-zero, client machines will calculate the difference between their own time and the time returned by the KDC in ticket timestamps, and use this value to correct inaccurate system clocks when requested

    ticket_lifetime

    Sets the default time to live for initial ticket requests

    [realms]

     
    Every subsection in the section is the name of a Kerberos realm. The meaning of subsection tags determines the settings for that particular area.

    Tag Tag description

    ADS-KAFKA.LOCAL

    Area designated by the user for authentication

    admin_server

    Identifies the host on which the administration server is running. Typically, this is the main Kerberos server. This tag must be set to a value to communicate with the kadmind server for this realm

    kdc

    The name or address of the host running the KDC for this realm. An optional port number can be included, separated from the hostname by a colon

    NOTE
    For a complete description of the tag values ​​for the areas of this file, see krb5_conf.
  4. Create a database of Kerberos principals for realm domain ADS-KAFKA.LOCAL using the kdb5_util utility.

    Enter command:

    $ sudo /usr/sbin/kdb5_util create -s -r ADS-KAFKA.LOCAL -P P@ssw0rd

    As a result, a message is displayed about the created database for the ADS-KAFKA.LOCAL area:

    Loading random data
    Initializing database '/var/kerberos/krb5kdc/principal' for realm 'ADS-KAFKA.LOCAL',
    master key name 'K/M@ADS-KAFKA.LOCAL'
    NOTE
    A complete description of the functions of the kdb5_util utility and applicable options is available at kdb5_util.
  5. Create user admin using command line interface kadmin.local.

    Enter command:

    $ sudo kadmin.local -q "add_principal -pw P@ssw0rd admin/admin"

    As a result, a message is displayed:

    Principal "admin/admin@ADS-KAFKA.LOCAL" created.
    NOTE
    For a complete description of the kadmin_local command line interface functions and applicable options, see kadmin_local.
  6. Restart Kerberos and KDC services.

    Enter the commands one by one:

    $ sudo systemctl restart krb5kdc
    $ sudo systemctl restart kadmin

    Check the status of running services by running the commands:

    $ sudo systemctl status krb5kdc
    $ sudo systemctl status kadmin

Start MIT Kerberos KDC on ADS cluster in ADCM interface

  1. Initiate Kerberos enable for the selected cluster. To do this, select Enable Kerberos in Actions of the cluster.

    ads kerberos 1
    Enabling Kerberos on the ADS cluster
  2. Enable Existing MIT KDC. To do this, you need to enable the eponymous switch in the window that opens.

    ads kerberos 02
    Enabling Existing MIT KDC
  3. Set the configuration parameters of the ADS cluster for MIT Kerberos KDC in accordance with the previously entered values ​​and click Run.

    ads kerberos 03
    Configuring ADS cluster for MIT Kerberos KDC
  4. Wait for the Kerberos setup to complete. Analyze and correct errors if they occur.

    ads kerberos 04
    Kerberos installation process

Checking installed Kerberos SASL

  1. Check the settings set for Kerberos in the cluster configurations.

    Go to the cluster configuration, select Advanced, find the section with Kerberos configurations, expand it.

    ads kerberos 05
    Installed ADS cluster configuration settings for Kerberos
  2. Check the security and authentication configuration of the Kafka brokers.

    On each host with a Kafka broker, issue the command:

    $ sudo vim /usr/lib/kafka/config/server.properties

    Ensure that in the server.properties file for each Kafka broker, the lines defining the security protocol are changed to SASL_PLAINTEXT; lines defining the authentication mechanism - to GSSAPI.

    security.inter.broker.protocol=SASL_PLAINTEXT
    
    
    sasl.mechanism.inter.broker.protocol=GSSAPI
    sasl.enabled.mechanisms=GSSAPI
  3. Verify that after installing Kerberos SASL, the listeners parameter in the Kafka service settings has changed from PLAINTEXT://:9092 to SASL_PLAINTEXT://:9092.

    ads kerberos 08
    Kafka service settings
  4. Check for the created principals for each service.

    On the host with the KDC server installed, enter the command:

    $ sudo kadmin.local list_principals

    The output of the list of principals shows that there are principals for each host of each installed service, principals for admins and other technical principals for the created realm:

    K/M@ADS-KAFKA.LOCAL
    admin/admin@ADS-KAFKA.LOCAL
    kadmin/admin@ADS-KAFKA.LOCAL
    kadmin/changepw@ADS-KAFKA.LOCAL
    kadmin/sov-ads-test-0.ru-central1.internal@ADS-KAFKA.LOCAL
    kafka-manager/sov-ads1-test.ru-central1.internal@ADS-KAFKA.LOCAL
    kafka/sov-ads1-test.ru-central1.internal@ADS-KAFKA.LOCAL
    kafka/sov-ads2-test.ru-central1.internal@ADS-KAFKA.LOCAL
    kafka/sov-ads3-test.ru-central1.internal@ADS-KAFKA.LOCAL
    kiprop/sov-ads-test-0.ru-central1.internal@ADS-KAFKA.LOCAL
    krbtgt/ADS-KAFKA.LOCAL@ADS-KAFKA.LOCAL
    zookeeper/sov-ads1-test.ru-central1.internal@ADS-KAFKA.LOCAL
    zookeeper/sov-ads2-test.ru-central1.internal@ADS-KAFKA.LOCAL
    zookeeper/sov-ads3-test.ru-central1.internal@ADS-KAFKA.LOCA
  5. Check for the presence on hosts with installed services of files for storing passwords *.service.keytab.

    On each host with installed services, issue the command:

    $ ls -la /etc/security/keytabs/

    The file listing shows that *.service.keytab files have been created for each service installed on the host:

    total 16
    drwxr-xr-x. 2 root       root        102 Aug  9 20:55 .
    drwxr-xr-x. 7 root       root       4096 Aug  9 19:38 ..
    -rw-------. 1 dockerroot dockerroot  890 Aug  9 20:55 kafka-manager.service.keytab
    -rw-------. 1 kafka      kafka       826 Aug  9 20:54 kafka.service.keytab
    -rw-------. 1 zookeeper  zookeeper   858 Aug  9 20:55 zookeeper.service.keytab
Found a mistake? Seleсt text and press Ctrl+Enter to report it