You are viewing an older version of this section. View current production version.
Enabling SSL and Kerberos on Kafka Pipelines
You can connect a pipeline to a Kafka cluster through SSL and optionally authenticate through SASL. The following SASL authentication mechanisms are supported: * GSSAPI (Kerberos) * PLAIN * SCRAM-SHA-256 * SCRAM-SHA-512
This topic assumes you have already have set up, configured, and enabled SSL and/or Kerberos on your Kafka brokers. For information on how to enable this functionality, see the SSL and SASL sections in the Kafka documentation.
Using SSL and SASL with Kafka requires Kafka protocol version 0.9 or later; therefore, each pipeline using SSL and SASL with Kafka also needs to adhere to that version requirement. The Kafka protocol version can be passed in through JSON in the CREATE PIPELINE statement through the CONFIG clause, similarly to this CONFIG '{"kafka_version":"0.10.0.0"}'. Alternatively, the pipelines_kafka_version global variable controls this parameter for any pipeline without a Kafka version configuration value.
Like pipelines such as S3 or Azure, credentials are passed in through JSON in the CREATE PIPELINE statement. Any credentials used to encrypt or authenticate must be present on each node in the MemSQL cluster.
The security.protocol credential specifies the encryption and authentication mechanisms used to connect to Kafka brokers. This property can be one of four values: plaintext, ssl, sasl_plaintext, or sasl_ssl. Depending on this value, you may have to supply additional credentials in your JSON.
Connecting over SSL
To enable SSL encryption between Kafka and MemSQL, perform the following steps:
-
Securely copy the CA certificate, SSL certificate, and SSL key used for connections between the MemSQL cluster and Kafka brokers from the Kafka cluster to every MemSQL node. You should use a secure file transfer method, such as
scp, to copy the files to your MemSQL nodes. The file locations on your MemSQL nodes should be consistent across the cluster. -
In your
CONFIGJSON, if you want to enable SSL encryption only, set"security.protocol": "ssl". If you want to enable Kerberos with SSL, set"security.protocol": "sasl_ssl"and set the Kerberos credentials after you’ve completed step 3. -
Set the remaining SSL configuration in the
CONFIGJSON:ssl.ca.location: Path to the CA certificate on the MemSQL node.ssl.certificate.location: Path to the SSL certificate on the MemSQL node.ssl.key.location: Path to the SSL certificate key on the MemSQL node.
-
If your SSL certificate key is using a password, set it in your
CREDENDIALSJSON.ssl.key.password: Password for SSL certificate key.
Authenticating with Kerberos
To configure a Kafka pipeline to authenticate with Kerberos, you must configure all of your nodes in your MemSQL cluster as clients for Kerberos authentication and then set the credentials in your CREATE PIPELINE statement. To do this, perform the following steps:
-
Securely copy the keytab file containing the MemSQL service principal (e.g. memsql/host.domain.com@REALM.NAME) from the Kerberos server to every node in your MemSQL cluster. You should use a secure file transfer method, such as
scp, to copy the keytab file to your MemSQL nodes. The file location on your MemSQL nodes should be consistent across the cluster. -
Make sure your MemSQL nodes can connect to the KDC server using the fully-qualified domain name (FQDN) of the KDC server. This might require configuring network settings or updating
/etc/hostson your nodes. -
Also ensure that the
memsqlservice account on the node can access the copied keytab file. This can be accomplished by changing file ownership or permissions. If thememsqlaccount cannot access the keytab file, you will not be able to complete the next step because your master aggregator will not be able to restart after applying configuration updates. -
When authenticating with Kerberos, MemSQL needs to authenticate as a client, which means you must also install a Kerberos client onto each node in your cluster. The following installs the
krb5-userpackage for Debian-based Linux distributions.$ sudo apt-get update && apt-get install krb5-userWhen setting up your kerberos configuration settings, set your default realm, Kerberos admin server, and other options to those defined by your KDC server. In the examples used in this topic, the default realm is
EXAMPLE.COM, and the Kerberos server settings are set to the FQDN of the KDC serverhost.example.com. -
In your
CONFIGJSON, set"sasl.mechanism": "GSSAPI". -
Set
"security.protocol": "sasl_ssl"for Kerberos and SSL connections, or"security.protocol": "sasl_plaintext"if you want to authenticate with Kerberos without SSL encryption. If you want to use Kerberos with SSL, make sure SSL is configured and enabled on the Kafka brokers and then add the SSL credential properties defined in the previous section. -
Set the remaining Kerberos configuration in
CONFIGJSON:sasl.kerberos.service.name: The Kerberos principal name that Kafka runs as. For example,"kafka".sasl.kerberos.keytab: The local file path on the MemSQL node to the authenticating keytab.sasl.kerberos.principal: The service principal name for the MemSQL cluster. For example,"memsql/host.example.com@EXAMPLE.COM".
Authenticating with PLAIN or SCRAM SASL mechanism
To configure a Kafka pipeline to authenticate with other SASL mechanism, you must set the credentials in your CREATE PIPELINE statement. To do this, perform the following steps:
-
In your
CONFIGJSON, set"sasl.mechanism": "PLAIN". If your Kafka brokers uses SCRAM for authentication, then set"sasl.mechanism": "SCRAM-SHA-256"or"sasl.mechanism": "SCRAM-SHA-512". -
In your
CONFIGJSON, set"security.protocol": "sasl_ssl"for and SSL connections, or"security.protocol": "sasl_plaintext"if you want to authenticate with Kafka without SSL encryption. -
In your
CONFIGJSON, provide the username,"sasl.username": "<kafka_credential_username>". -
In your
CREDENTIALSJSON, provide the password,"sasl.password": "<kafka_credential_password>".
SASL_PLAINTEXT/PLAIN Security
Please note that SASL_PLAINTEXT/PLAIN authentication mode with Kafka sends your credentials unencrypted over the network. It is therefore insecure and susceptible to being sniffed.
Also note that SASL_PLAINTEXT/SCRAM authentication mode with Kafka will encrypt the credentials information send over the network, but transport of Kafka messages themselves is still insecure.
Examples
The following examples make the following assumptions:
- Port 9092 is a plaintext endpoint
- Port 9093 is an SSL endpoint
- Port 9094 is a plaintext SASL endpoint
- Port 9095 is an SSL SASL endpoint
Plaintext
The following CREATE PIPELINE statements are equivalent:
CREATE PIPELINE `kafka_plaintext`
AS LOAD DATA KAFKA 'host.example.com:9092/test'
CONFIG '{"security.protocol": "plaintext"}'
INTO table t;
CREATE PIPELINE `kafka_no_creds`
AS LOAD DATA KAFKA 'host.example.com:9092/test'
INTO table t;
SSL
CREATE PIPELINE `kafka_ssl`
AS LOAD DATA KAFKA 'host.example.com:9093/test'
CONFIG '{"security.protocol": "ssl",
"ssl.certificate.location": "/var/private/ssl/client_memsql_client.pem",
"ssl.key.location": "/var/private/ssl/client_memsql_client.key",
"ssl.ca.location": "/var/private/ssl/ca-cert.pem"}'
CREDENTIALS '{"ssl.key.password": "abcdefgh"}'
INTO table t;
Kerberos with no SSL
CREATE PIPELINE `kafka_kerberos_no_ssl`
AS LOAD DATA KAFKA 'host.example.com:9094/test'
CONFIG '{""security.protocol": "sasl_plaintext",
"sasl.mechanism": "GSSAPI",
"sasl.kerberos.service.name": "kafka",
"sasl.kerberos.principal": "memsql/host.example.com@EXAMPLE.COM",
"sasl.kerberos.keytab": "/etc/krb5.keytab"}'
INTO table t;
Kerberos with SSL
CREATE PIPELINE `kafka_kerberos_ssl`
AS LOAD DATA KAFKA 'host.example.com:9095/test'
CONFIG '{"security.protocol": "sasl_ssl",
"sasl.mechanism": "GSSAPI",
"ssl.certificate.location": "/var/private/ssl/client_memsql_client.pem",
"ssl.key.location": "/var/private/ssl/client_memsql_client.key",
"ssl.ca.location": "/var/private/ssl/ca-cert.pem",
"sasl.kerberos.service.name": "kafka",
"sasl.kerberos.principal": "memsql/host.example.com@EXAMPLE.COM",
"sasl.kerberos.keytab": "/etc/krb5.keytab"}'
CREDENTIALS '{"ssl.key.password": "abcdefgh"}'
INTO table t;
SASL/PLAIN with SSL
CREATE PIPELINE `kafka_sasl_ssl_plain`
AS LOAD DATA KAFKA 'host.example.com:9095/test'
CONFIG '{"security.protocol": "sasl_ssl",
"sasl.mechanism": "PLAIN",
"ssl.certificate.location": "/var/private/ssl/client_memsql_client.pem",
"ssl.key.location": "/var/private/ssl/client_memsql_client.key",
"ssl.ca.location": "/var/private/ssl/ca-cert.pem",
"sasl.username": "kafka"}'
CREDENTIALS '{"ssl.key.password": "abcdefgh", "sasl.password": "metamorphosis"}'
INTO table t;
SASL/PLAIN without SSL
CREATE PIPELINE `kafka_sasl_plaintext_plain`
AS LOAD DATA KAFKA 'host.example.com:9094/test'
CONFIG '{"security.protocol": "sasl_plaintext",
"sasl.mechanism": "PLAIN",
"sasl.username": "kafka"}'
CREDENTIALS '{"sasl.password": "metamorphosis"}'
INTO table t;
SASL/SCRAM with SSL
CREATE PIPELINE `kafka_sasl_ssl_scram`
AS LOAD DATA KAFKA 'host.example.com:9095/test'
CONFIG '{"security.protocol": "sasl_ssl",
"sasl.mechanism": "SCRAM-SHA-512",
"ssl.certificate.location": "/var/private/ssl/client_memsql_client.pem",
"ssl.key.location": "/var/private/ssl/client_memsql_client.key",
"ssl.ca.location": "/var/private/ssl/ca-cert.pem",
"sasl.username": "kafka"}'
CREDENTIALS '{"ssl.key.password": "abcdefgh", "sasl.password": "metamorphosis"}'
INTO table t;
SASL/SCRAM without SSL
CREATE PIPELINE `kafka_sasl_plaintext_plain`
AS LOAD DATA KAFKA 'host.example.com:9094/test'
CONFIG '{"security.protocol": "sasl_plaintext",
"sasl.mechanism": "SCRAM-SHA-512",
"sasl.username": "kafka"}'
CREDENTIALS '{"sasl.password": "metamorphosis"}'
INTO table t;
