Skip to content
/ kafka-auth-aws-iam Public

A custom LoginModule for Kafka authentication and authorization.

License

MIT license
7 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

STACK-Fintech/kafka-auth-aws-iam

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
src
src
 
 
.classpath
.classpath
 
 
.gitignore
.gitignore
 
 
.project
.project
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

AwsIamLoginModule

This is a custom LoginModule meant to be used with Kafka and configured via JAAS.

Special Thanks

A shoutout to @CookPete for creating auto-changelog, which is used to build the CHANGELOG for this plugin!

Server Setup

Copy the kafka-auth-aws-iam-{VERSION}.jar file into your Kafka's libs directory. Next, create a JAAS configuration file that looks something like this:

KafkaServer {
    com.stack.security.auth.aws.AwsIamLoginModule required
    aws_account_id="1234567890123";
};

In the sample configuration, only AWS IAM credentials associated with the given AWS Account ID will successfully authenticate. This is to prevent a random user from generating AWS IAM credentials from a totally separate account and connecting to your Kafka brokers with default ACL permissions.

Next, add the JAAS configuration file as an argument for the KAFKA_OPTS environment variable of your broker(s):

export KAFKA_OPTS="-Djava.security.auth.login.config=./config/server-jaas.conf"
bin/kafka-server-start.sh config/server.properties

Last, in server.properties, you'll need to add:

  • an entry for the callback handler class
  • the selected SASL mechanism
  • a list of enabled SASL mechanisms
# server.properties

sasl.mechanism=AWS
# You can add other mechanisms as necessary
sasl.enabled.mechanisms=AWS
# If you want Kafka brokers to communicate securely
sasl.mechanism.inter.broker.protocol=AWS 

# Should follow the format: listener.name.{listener}.aws.sasl.server.callback.handler=com.stack.security.auth.aws.internal.AwsIamCallbackHandler
listener.name.sasl_ssl.aws.sasl.server.callback.handler.class=com.stack.security.auth.aws.internal.AwsIamCallbackHandler

Client Setup

You can use the AwsIamLoginModule for authentication between Kafka Brokers. To do this, add an entry to your JAAS configuration for KafkaClient:

KafkaClient {
    com.stack.security.auth.aws.AwsIamLoginModule required;
};

The AwsIamSaslClient leverages the DefaultAWSCredentialsProviderChain to automatically find credentials available for use in the environment of your Kafka broker.

Unlike the AwsIamSaslServer, the AwsIamSaslClient does not use a custom callback so no additional wireup is needed in server.properties.

This client can also be used with JAAS-compatible Consumers and Producers, though this hasn't been tested.

Build, Test, etc...

This project uses Maven.

# Install dependencies
mvn install
# Build
mvn compile
# Test
mvn test
# Package the JAR for use
mvn package

Built with ❤️ by

About

A custom LoginModule for Kafka authentication and authorization.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

7 stars

Watchers

10 watching

Forks

0 forks
Report repository

Releases 9

v0.5.1: Merge pull request #3 from STACK-Fintech/client/handle-null-on-clear Latest
Jun 20, 2019
+ 8 releases

Packages

No packages published

Languages