Updated on 2022-11-18 GMT+08:00

Sasl Kerberos authentication

In a secure cluster environment, components must perform mutual authentication before communicating with each other to ensure communication security. Kafka application development requires Kafka, ZooKeeper and Kerberos security authentication. To perform the security authentication, a jaas file needs to be generated, and related environment variables need to be configured. LoginUtil related interfaces are provided for the configuration. As shown in the following code sample, only the machine-machine user account applied by the user and the keytab file name need to be configured. For details about the code, reference may be made to the LoginUtil class in com.huawei.bigdata.kafka.example.security of the sample project.

Code sample:

    /**
     * keytab file name of the machine-machine account that a user applies for
     */
    private static final String USER_KEYTAB_FILE = "keytab file name of the machine-machine account that a user applies for";
    
   /**
    * Machine-machine account that a user applies for 
    */
    private static final String USER_PRINCIPAL = "Machine-machine account that a user applies for ";

public static void securityPrepare() throws IOException
    {
        String filePath = System.getProperty("user.dir") + File.separator + "src" + File.separator + "main" + File.separator + "resources" + File.separator;       
        String krbFile = filePath + "krb5.conf";
        String userKeyTableFile = filePath + USER_KEYTAB_FILE;
        
        //Replace separators in Windows.
        userKeyTableFile = userKeyTableFile.replace("\\", "\\\\");
        krbFile = krbFile.replace("\\", "\\\\");
        
        LoginUtil.setKrb5Config(krbFile);
        LoginUtil.setZookeeperServerPrincipal("zookeeper/hadoop.<system domain name>");
        LoginUtil.setJaasFile(USER_PRINCIPAL, userKeyTableFile);
    }

You can log in to the FusionInsight Manager, choose System > Permission > Domain and Mutual Trust, and check the value of Local Domain, which is the current system domain name.