Kafka Security: Configuring .Net Core Applications for SASL/GSSAPI (Kerberos) Authentication

By: Srinivasa Gummadidala

INTRODUCTION:

This is a continuation of my previous post on “Building Real-time Streaming Apps Using .NET Core and Kafka”. In this post, we are going to look at the security aspects of Kafka at a high level. We will also configure a .NET Core application to authenticate with a Kerberos-aware Kafka Cluster.

Kafka Security Overview:

Enabling security over Kafka is optional. However, if your organization is using Kafka to store critical data, enabling Kafka’s security features is crucial to protect your data from all kinds of cyber-attacks.

Four key security features that you can enable over Kafka:

1. Configure the Kafka broker to authenticate internal/external clients using either SASL or Transport Layer Security (TLS) client certificates so that Kafka brokers know who is making each request. Currently, SASL mechanisms are GSSAPI (Kerberos) and PLAIN are supported.
2. Configure “Access Control Lists(ACLs)” to authorize clients read/write access to topics.
3. Configure encrypted network communications between producer/consumer and Kafka.
4. Configure secure communication between Kafka brokers and ZooKeeper

Kafka Security Overview

Let’s assume that your organization’s KAFKA instance is configured to authenticate internal/external clients using the SASL GSSAPI (Kerberos) option, and assume your organization already has a Kerberos server internally (maybe using Active Directory).

So, any application/service that needs to communicate with Kafka should get authenticated using SASL(Kerberos).

What is SASL?

Simple Authentication Security Layer (SASL) is a framework that can be used with other protocols such as Kerberos, SMTP, etc. The basic idea is that an authentication mechanism is separated from the protocol.

GSSAPI is a SASL authentication mechanism for supporting Kerberos authentication.

What is Kerberos?

Kerberos is a network authentication protocol based on secret key cryptographies. In simple terms, instead of sharing passwords, communication partners share a cryptographic key, and they use knowledge of this key to verify one another’s identity. You can read more about Kerberos here.

SASL/GSSAPI is a great choice for enterprises as it allows the companies to manage security from within their Kerberos Server.

User Scenario:

Let’s take our e-commerce use-case mentioned in our previous Kafka blog. Both “Order API” and “ProcessOrdersService” are .NET Core apps that produce/consume messages to/from Kafka topics.

With your organization using secured Kafka, these two apps need to use Kerberos tokens to get authenticated to the Kafka cluster.

Configure .NET Core Producer/Consumer for SASL/Kerberos Authentication:

Confluent’s .NET core libraries make configuration easy and there aren’t any extra steps. All that you need to do is generate a KeyTab file with your Kerberos principal (user alias in the network) and provide that as part of producer/consumer configuration settings.

Step 1: Create or update krb5.conf file in /etc/ path.

• krb5.conf file contains Kerberos configuration information, including the locations of KDCs. Make sure that your organization’s KDC address is configured here.
• Normally, you should install your krb5.conf file in the directory /etc. You can override the default location by setting the environment variable KRB5_CONFIG

Example:

MYORGANIZATION.COM{

kdc = testkdcserver.myorg.com

}

Step 2: Generate a KeyTab file

It’s basically a file that contains a table of user accounts with an encrypted hash of the user’s password.

How do I generate a KeyTab file?

• Use ktutil command
• Create a KeyTab file for each encryption type you use with the add_entry command.

add_entry -password -p principal_name -k number -e encryption_type

• Once you have created the entries for the principal, write to a KeyTab file.

wkt filename.keytab

for mac

How do I verify whether my KeyTab file really works or not?

Run the below command:

kinit username@MYDOMAIN.COM -k -t username.keytab

You should successfully authenticate without being prompted for a password. Success!

Step 3: Update producer/consumer config settings.

Step 4: Run your application and try producing/consuming messages to Kafka.

Troubleshooting Tips:

• If you are deploying your app in Cloud Containers like Pivotal Cloud Foundry (PCF), make sure that your Docker image comes with SASL libraries. For example, we had an issue with PCF where the cf Linux image that we used to spin a cloud container did not have all the required SASL libraries for Kerberos. One of our TribalScale developers raised a merge request in Cloud Foundry to add libsasl2-modules-gssapi-mit package — the request has been approved and merged
• Make sure that your krb5.conf file is in the default path(/etc) or explicitly specify this file location by KRB5_CONFIG environment variable.
• Make sure that you have at least read permissions over the krb5.conf file.
• Producer/consumer classes never surface runtime exceptions related to connectivity directly, they let you instantiate the objects even if you pass invalid credentials. Sometimes, producer/consumer classes might not function as expected without surfacing the underlying exception. You will need to register/attach your error handler to “OnError” event to surface these errors.

• Keep your KeyTab file at the project root or specify the absolute path in the config settings.

Note: If you are a windows user, setup WSL (Windows Subsystem for Linux) and try the above steps from ubuntu shell.

CONCLUSION:

Enabling Kafka security features is very important and will protect your organization from cyber-attacks. To authenticate Kafka clients, configuring Kafka brokers with SASL/GSSAPI(Kerberos) is also a great choice for enterprises as it allows for security management within the Kerberos Server. Finally, Confluent’s .NET Core APIs have well-defined interfaces that neatly configure .NET Core apps so they can be authenticated to a SASL/GSSAPI(Kerberos)-enabled broker.

The Kafka community added a number of features that can be used, together or separately, to secure a Kafka cluster. Refer to the Confluent documentation for more details.

For detailed code, please refer my GitHub repository.

References:

• https://docs.confluent.io/3.0.0/kafka/sasl.html#kafka-sasl-kerberos-broker
• https://social.technet.microsoft.com/wiki/contents/articles/36470.kerberos-keytabs-explained.aspx
• http://www.itadmintools.com/2011/07/creating-kerberos-keytab-files.html
• http://web.mit.edu/kerberos/krb5-current/doc/user/user_config/kerberos.html#kerberos-7

Srini is an Agile Transformation Engineer at TribalScale based out of Boston office, .NET web developer focused on micro-service-first architecture design.

TribalScale is a global innovation firm that helps enterprises adapt and thrive in the digital era. We transform teams and processes, build best-in-class digital products, and create disruptive startups. Learn more about us on our website. Connect with us on Twitter, LinkedIn & Facebook!