红帽全球峰会此内容没有您所选择的语言版本。
Chapter 12. KafkaListenerAuthenticationCustom schema reference
Used in: GenericKafkaListener
Full list of KafkaListenerAuthenticationCustom schema properties
Configures custom authentication for listeners.
To configure custom authentication, set the type property to custom. Custom authentication allows for any type of Kafka-supported authentication to be used.
Example custom OAuth authentication configuration
spec:
kafka:
config:
principal.builder.class: SimplePrincipal.class
listeners:
- name: oauth-bespoke
port: 9093
type: internal
tls: true
authentication:
type: custom
sasl: true
listenerConfig:
oauthbearer.sasl.client.callback.handler.class: client.class
oauthbearer.sasl.server.callback.handler.class: server.class
oauthbearer.sasl.login.callback.handler.class: login.class
oauthbearer.connections.max.reauth.ms: 999999999
sasl.enabled.mechanisms: oauthbearer
oauthbearer.sasl.jaas.config: |
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required ;
template:
pod:
volumes:
- name: example-secret
secret:
secretName: example
kafkaContainer:
volumeMounts:
- name: example-secret
mountPath: /mnt/secret-volume
A protocol map is generated that uses the sasl and tls values to determine which protocol to map to the listener.
-
SASL = True, TLS = True
SASL_SSL -
SASL = False, TLS = True
SSL -
SASL = True, TLS = False
SASL_PLAINTEXT -
SASL = False, TLS = False
PLAINTEXT
Secrets are mounted to the /mnt directory in the Kafka broker nodes' containers. For example, the mounted secret (example) in the example configuration would be located at /mnt/secret-volume.
12.1. Configuring customized TLS Client Authentication
You can also use the custom authentication to configure customized TLS client authentication. This allows configuration options that are not permissible with type: tls authentication. For example, it’s possible to configure a custom truststore with multiple trusted CAs or options such as ssl.principal.mapping.rules.
Example custom TLS Client Authentication configuration
spec:
kafka:
listeners:
- name: tls
port: 9093
tls: true
type: internal
authentication:
type: custom
sasl: false
listenerConfig:
ssl.client.auth: required
ssl.principal.mapping.rules: RULE:^CN=(.*?),(.*)$/$1@my-cluster.com/
ssl.truststore.location: /mnt/my-truststore/ca.crt
ssl.truststore.type: PEM
template:
pod:
volumes:
- name: my-truststore
secret:
secretName: custom-truststore
kafkaContainer:
volumeMounts:
- name: my-truststore
mountPath: /mnt/my-truststore12.2. Setting a custom principal builder
You can set a custom principal builder in the Kafka cluster configuration. However, the principal builder is subject to the following requirements:
- The specified principal builder class must exist on the image. Before building your own, check if one already exists. You’ll need to rebuild the Streams for Apache Kafka images with the required classes.
-
No other listener is using
oauthtype authentication. This is because an OAuth listener appends its own principle builder to the Kafka configuration. - The specified principal builder is compatible with Streams for Apache Kafka.
Custom principal builders must support peer certificates for authentication, as Streams for Apache Kafka uses these to manage the Kafka cluster.
Kafka’s default principal builder class supports the building of principals based on the names of peer certificates. The custom principal builder should provide a principal of type user using the name of the SSL peer certificate.
The following example shows a custom principal builder that satisfies the OAuth requirements of Streams for Apache Kafka.
Example principal builder for custom OAuth configuration
public final class CustomKafkaPrincipalBuilder implements KafkaPrincipalBuilder {
public KafkaPrincipalBuilder() {}
@Override
public KafkaPrincipal build(AuthenticationContext context) {
if (context instanceof SslAuthenticationContext) {
SSLSession sslSession = ((SslAuthenticationContext) context).session();
try {
return new KafkaPrincipal(
KafkaPrincipal.USER_TYPE, sslSession.getPeerPrincipal().getName());
} catch (SSLPeerUnverifiedException e) {
throw new IllegalArgumentException("Cannot use an unverified peer for authentication", e);
}
}
// Create your own KafkaPrincipal here
...
}
}
The type property is a discriminator that distinguishes use of the KafkaListenerAuthenticationCustom type from KafkaListenerAuthenticationTls, KafkaListenerAuthenticationScramSha512, KafkaListenerAuthenticationOAuth. It must have the value custom for the type KafkaListenerAuthenticationCustom.
| Property | Property type | Description |
|---|---|---|
| type | string |
Must be |
| sasl | boolean | Enable or disable SASL on this listener. |
| listenerConfig | map |
Configuration to be used for a specific listener. All values are prefixed with |
| secrets |
|
The |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}