Connecting to a kerberised Kafka cluster on Linux

To read from or write to a Kerberised Kafka cluster that runs on Linux operating system, configure the default realm, KDC, and Kafka advanced source or target properties.

You can configure Kerberos authentication for a Kafka client by placing the required Kerberos configuration files on the Secure Agent machine and specifying the required JAAS configuration in the Kafka connection. The JAAS configuration defines the keytab and principal details that the Kafka broker must use to authenticate the Kafka client.

Before you read from or write to a Kerberised Kafka cluster, perform the following tasks:

1Ensure that you have the krb5.conf file for the Kerberised Kafka cluster.

2Configure the default realm and KDC. If the default /etc/krb5.conf file is not configured or you want to change the configuration, add the following lines to the /etc/krb5.conf file:

[libdefaults]
default_realm = <REALM NAME>
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
<REALM NAME> = {
kdc = <Location where KDC is installed>
admin_server = <Location where KDC is installed>
}
[domain_realm]
.<domain name or hostname> = <KERBEROS DOMAIN NAME>
<domain name or hostname> = <KERBEROS DOMAIN NAME>

3To pass a static JAAS configuration file into the JVM using the java.security.auth.login.config property at runtime, perform the following tasks:

aEnsure that you have JAAS configuration file.

For information about creating JAAS configuration and configuring Keytab for Kafka clients, see the Apache Kafka documentation at https://kafka.apache.org/0101/documentation/#security

For example, the JAAS configuration file can contain the following lines of configuration:

//Kafka Client Authentication. Used for client to kafka broker connection
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useKeyTab=true
storeKey=true
keyTab="<path to Kafka keytab file>/<Kafka keytab file name>"
principal="<principal name>"
client=true
};

bPlace the JAAS config file and keytab file in the same location on all the nodes.

Informatica recommends that you place the files in a location that is accessible to all the nodes in the cluster. Example: /etc or /temp

cConfigure the following properties:

Kafka connection

Configure the Additional Connection Properties property in a Kafka connection and specify the value in the following format:

security.protocol=SASL_PLAINTEXT,sasl.kerberos.service.name=kafka,sasl.mechanism=GSSAPI

Sources

Configure the Consumer Configuration Properties property in the advanced source properties to override the value specified in the Additional Connection Properties property in a Kafka connection. Specify the value in the following format:

security.protocol=SASL_PLAINTEXT,sasl.kerberos.service.name=kafka,sasl.mechanism=GSSAPI

Targets

Configure the Producer Configuration Properties property in the advanced target properties to override the value specified in the Additional Connection Properties property in a Kafka connection. Specify the value in the following format:

security.protocol=SASL_PLAINTEXT,sasl.kerberos.service.name=kafka,sasl.mechanism=GSSAPI

4To embed the JAAS configuration in the sasl.jaas.config configuration property, configure the following properties:

Kafka connection: Configure the Additional Connection Properties property in a Kafka connection and specify the value in the following format:
Sources: Configure the Consumer Configuration Properties property in the advanced source properties to override the value specified in the Kerberos Configuration Properties property in a Kafka connection. Specify the value in the following format:
Targets: Configure the Producer Configuration Properties property in the advanced target properties to override the value specified in the Kerberos Configuration Properties property in a Kafka connection. Specify the value in the following format: