Friday, February 23, 2018

The Apache Sentry security service - part III

This is the third in a series of blog posts on the Apache Sentry security service. The first post looked at how to get started with the Apache Sentry security service, both from scratch and via a docker image. The second post looked at how to define the authorization privileges held in the Sentry security service. In this post we will look at updating an earlier tutorial I wrote about securing Apache Kafka with Apache Sentry, this time using the security service instead of defining the privileges in a file local to the Kafka distribution.

1) Configure authorization in the broker

Firstly download and configure Apache Kafka using SSL as per this tutorial, except use Kafka 0.11.0.2. To enable authorization using Apache Sentry we also need to follow these steps. First edit 'config/server.properties' and add:
  • authorizer.class.name=org.apache.sentry.kafka.authorizer.SentryKafkaAuthorizer
  • sentry.kafka.site.url=file:./config/sentry-site.xml
Next copy the jars from the "lib" directory of the Sentry distribution to the Kafka "libs" directory. Then create a new file in the config directory called "sentry-site.xml" with the following content:

This is the configuration file for the Sentry plugin for Kafka. It instructs Sentry to retrieve the authorization privileges from the Sentry security service, and to get the groups of authenticated users from the 'sentry.ini' configuration file. Create a new file in the config directory called "sentry.ini" with the following content:
Note that in the earlier tutorial this file also contained the authorization privileges, but they are not required in this scenario as we are using the Apache Sentry security service.

2) Configure the Apache Sentry security service

Follow the first tutorial to install the Apache Sentry security service. Now we need to create the authorization privileges for our Apache Kafka test scenario as per the second tutorial. Start the 'sentryCli" in the Apache Sentry distribution.

Create the roles:
  • t kafka
  • cr admin_role
  • cr describe_role
  • cr read_role
  • cr write_role
  • cr describe_consumer_group_role 
  • cr read_consumer_group_role
Add the privileges to the roles:
  • gp admin_role "Host=*->Cluster=kafka-cluster->action=ALL"
  • gp describe_role "Host=*->Topic=test->action=describe"
  • gp read_role "Host=*->Topic=test->action=read"
  • gp write_role "Host=*->Topic=test->action=write"
  • gp describe_consumer_group_role "Host=*->ConsumerGroup=test-consumer-group->action=describe"
  • gp read_consumer_group_role "Host=*->ConsumerGroup=test-consumer-group->action=read"
Associate the roles with groups (defined in 'sentry.ini' above):
  • gr admin_role admin
  • gr describe_role producer
  • gr read_role producer
  • gr write_role producer
  • gr read_role consumer
  • gr describe_role consumer
  • gr describe_consumer_group_role consumer
  • gr read_consumer_group_role consumer
3) Test authorization

Now start the broker (after starting Zookeeper):
  • bin/kafka-server-start.sh config/server.properties
Start the producer:
  • bin/kafka-console-producer.sh --broker-list localhost:9092 --topic test --producer.config config/producer.properties
Send a few messages to check that the producer is authorized correctly. Now start the consumer:
  • bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic test --from-beginning --consumer.config config/consumer.properties --new-consumer
Authorization should succeed and you should see the messages made by the producer appear in the consumer console window.

No comments:

Post a Comment