eironside-esristaff

ArcGIS GeoEvent: Kafka Connector Security

Blog Post created by eironside-esristaff Employee on Sep 25, 2019

A recent release of the ArcGIS GeoEvent Server included a new set of connectors for accessing Kafka systems.  We have documented this initial release, but we have not released exhaustive documentation to guide users on how to work with the connectors. This blog attempts to provide some additional guidance on implementing security with these connectors, while we work on enhancing our documentation (with examples). This is in no way meant to be an exhaustive guide and will probably change over time.

 

The security implementations have some prerequisites which users need to be aware of prior to using the connectors in a secured cluster setting. Especially in the case of Kerberos authentication, users are most likely to run into issues if they don’t pay particular attention to the details on the help page. Even in cases, where they do, they might run into problems when there isn’t a thorough understanding of Kerberos as supported in Kafka.

 

For the GSSAPI(Kerberos) implementation, SASL_PLAINTEXT is not a supported protocol with the connectors; the only support protocol is SASL_SSL. So your config file should look something like in the below:

 

* KafkaClient {
* com.sun.security.auth.module.Krb5LoginModule required
* useKeyTab=true
* storeKey=true
* keyTab="<path-to-keyTab>/[keyTabName].keyTab"
* principal="$serviceName/principal@EXAMPLE.COM";
* };

 

Please explore the client section in the security documentation on the Kerberos for further extended information on this.

 

In this specific implementation, we use the folder data store registered with GeoEvent to assign the path to the Jaas file. Our experience with the specific error where Kafka reports that the KafkaClient section in the Jaas file does not exist, is that in most cases that is misleading. It could be that the file is not correctly formatted and that the contents aren’t being read right by the Kafka client libs. Again, please refer to the confluent docs on the correct formatting.

 

For SSL (TLS1.2), the key thing to note is that the trust store is managed by ArcGIS Server; so please ensure that ArcGIS Server’s trust store contains the client cert info or cert chain that you are attempting to set as your key store for the kafka client (the connectors in this case). We have our implementation provide “optional” parameters when your Kafka server requires a client to authenticate. In this case, we require a file format for your key store file to be “PKCS12”.


Lastly, our implementation does not account for authorization; we only deal with authentication.

Outcomes