...
Any other security protocol to be used could be configured using the OOM charts on a k8s environment.The below values are to be defined in the values.yaml
2. SASL_PLAINTEXT using Plain mechanism:
Implements authentication based on username and passwords. Usernames and passwords are stored locally in Kafka configuration.
DMaap-Message-router-kafka by defaullt uses SASL_PLAINTEXT.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
kafka sasl_plaintext: security: protocol: SASL_PLAINTEXT ssl: trust-store-type: trust-store-location: trust-store-password: properties: sasl.mechanism: PLAIN sasl_ssl: security: protocol: SASL_SSL sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username=admin password=admin_secret; ssl: trust-store-type: JKS ssl.endpoint.identification.algorithm: |
The kafka configuration details could be configured in the override files as below:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
kafka: security: trust-store-location: file:///C:/Users/adityaputhuparambil/ltec-com-strimzi.jks protocol: '{{ .Values.kafka.sasl_plaintext.security.protocol }}' trust-store-password: secretssl: properties: sasl.mechanism: SCRAM-SHA-512 sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username=admin password=admin_secret; ssl.endpoint.identification.algorithm: |
...
Implements authentication based on username and passwords. Usernames and passwords are stored locally in Kafka configuration.
DMaap-Message-router-kafka by defaullt uses SASL_PLAINTEXT.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
kafka sasl_plaintext: securitytrust-store-type: '{{ .Values.kafka.sasl_plaintext.security.trust-store-type }}' trust-store-location: '{{ .Values.kafka.sasl_plaintext.security.trust-store-location }}' trust-store-password: '{{ .Values.kafka.sasl_plaintext.security.trust-store-password }}' properties: protocol: SASL_PLAINTEXT ssl: sasl.mechanism: '{{ .Values.kafka.sasl_plaintext.proeprties.sasl_mechanism }}' trust-store-type: trust-store-location: trust-store-password: properties: sasl.mechanism: PLAIN |
The kafka configuration details could be configured in the override files as below:
sasl.jaas.config: '{{ .Values.kafka.sasl.jaas.config }}' |
3. SASL_SSL using SCRAM-SHA-256 and SCRAM-SHA-512 :
Implements authentication using Salted Challenge Response Authentication Mechanism (SCRAM). SCRAM credentials are stored centrally in ZooKeeper. SCRAM can be used in situations where ZooKeeper cluster nodes are running isolated in a private network.
Spring.kafka.ssl related configuration is required. In order to use TLS encryption and server authentication, a keystore containing private and public keys has to be provided. This is usually done using a file in the Java Key store (JKS) format.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
kafka:
sasl_ssl:
security:
protocol: SASL_SSL
ssl:
trust-store-type: JKS
trust-store-location: file:///C:/Users/adityaputhuparambil/ltec-com-strimzi.jks
trust-store-password: secret
properties:
| ||||||
Code Block | ||||||
| ||||||
kafka: security: protocol: '{{ .Values.kafka.sasl_plaintext.security.protocol }}' ssl: trust-store-type: '{{ .Values.kafka.sasl_plaintext.security.trust-store-type }}' trust-store-location: '{{ .Values.kafka.sasl_plaintext.security.trust-store-location }}' trust-store-password: '{{ .Values.kafka.sasl_plaintext.security.trust-store-password }}' properties: sasl.mechanism: '{{ .Values.kafka.sasl_plaintext.proeprties.sasl_mechanism }}' sasl.jaas.config: '{{ .Values.kafka.mechanism: SCRAM-SHA-512 sasl.jaas.config }}' |
...
: org.apache.kafka.common.security.plain.PlainLoginModule required username=admin password=admin_secret;
ssl.endpoint.identification.algorithm: |
Few additional properties related to SSL also need to be configured as shown below:
...
NOTE: Topics are auto generated in ONAP DMaaP Kafka. Hence topic creation is not covered in the scope on CPS.POC
Proof Of Concept :
POC was performed with ONAP DMaaPMessageRouterKafka running on k8e environment(172.16.1.205) in Nordix lab . The configuration details for both cps-core and cps-temporal as shared below:
...