1) Configure authorization in the broker
Firstly download configure Apache Kafka using SSL as per this tutorial, except use Kafka 0.11.0.2. To enable authorization using Apache Sentry we also need to follow these steps. First edit 'config/server.properties' and add:
This is the configuration file for the Sentry plugin for Kafka. It instructs Sentry to retrieve the authorization privileges from the Sentry security service, and to get the groups of authenticated users from the 'sentry.ini' configuration file. Create a new file in the config directory called "sentry.ini" with the following content:
Note that in the earlier tutorial this file also contained the authorization privileges, but they are not required in this scenario as we are using the Apache Sentry security service.
2) Configure the Apache Sentry security service
Follow the first tutorial to install the Apache Sentry security service. Now we need to create the authorization privileges for our Apache Kafka test scenario as per the second tutorial. Start the 'sentryCli" in the Apache Sentry distribution.
Create the roles:
- t kafka
- cr admin_role
- cr describe_role
- cr read_role
- cr write_role
- cr describe_consumer_group_role
- cr read_consumer_group_role
- gp admin_role "Host=*->Cluster=kafka-cluster->action=ALL"
- gp describe_role "Host=*->Topic=test->action=describe"
- gp read_role "Host=*->Topic=test->action=read"
- gp write_role "Host=*->Topic=test->action=write"
- gp describe_consumer_group_role "Host=*->ConsumerGroup=test-consumer-group->action=describe"
- gp read_consumer_group_role "Host=*->ConsumerGroup=test-consumer-group->action=read"
- gr admin_role admin
- gr describe_role producer
- gr read_role producer
- gr write_role producer
- gr read_role consumer
- gr describe_role consumer
- gr describe_consumer_group_role consumer
- gr read_consumer_group_role consumer
Now start the broker (after starting Zookeeper):
- bin/kafka-server-start.sh config/server.properties
- bin/kafka-console-producer.sh --broker-list localhost:9092 --topic test --producer.config config/producer.properties
- bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic test --from-beginning --consumer.config config/consumer.properties --new-consumer