Does Kafka-utils support SASL

Question

Does Kafka-utils support SASL

cocotier opened this issue 6 years ago · 5 comments

Does Kafka-utils support SASL with Kafka Client properties?

Answer 1 · 2019-07-01T09:08:26.000Z

Hi, I'm also interested by that subject. Found any solution yet ?

Answer 2 · 2019-08-13T20:02:06.000Z

@cocotier @djoul2706 are you referring to Kafka protocol or?
I managed to run kafka-utils processes under SASL_PLAINTEXT since if you dig into a code a bit kafka-utils is almost pure reading of Zookeepers znodes (which are already recommended to be in world:r mode) and using http and ssh

Answer 3 · 2019-09-20T16:31:40.000Z

@iMajna How did you change the configuration settings to allow for a SASL connection? I am interested in allowing for that type of connection.

Answer 4 · 2019-09-23T09:56:20.000Z

@tmendenhall
Just to clarify, kafka_utils in my case didn't behave like client which authenticated to Kafka cluster I think that is not intention atm.

My cluster sample looks the same as for Kafka cluster which supports only PLAINTEXT protocol. So no changes are needed in sample_config.yml!

Important thing to know it that Kafka clusters which are Kerberized by default are putting host to null, thats a known issue. Like this:
If we try to get the information for kafka broker znode after enabling kerberos, it shows as below:

get /brokers/ids/1002 {"jmx_port":-1,"timestamp":"1312312312","endpoints":["PLAINTEXTSASL://xxxx.domain.com:9092"],"host":null,"version":2,"port":-1}

Thats the reason why you can't read any hosts while trying to execute rolling_restart for example.kafka_utilsis reading host and since it is null you get null as feedback.

The only way to handle this is to manually change it. **Be aware that after each restart of broker host var in zookeeper is changed to default null again **

The default ‘host’ and ‘port’ here in Zookeeper are used to maintain backward compatibility for older Kafka clients, but only PLAINTEXT protocol is supported as default.
If the broker does not listen on PLAINTEXT protocol, for example PLAINTEXTSASL after kerberizing, an empty endpoint (that is, "host":null,"port”:-1) will be registered and older clients will break.

Changing host property in Zookeeper:
[zk: localhost:2181(CONNECTED) 2] set /brokers/ids/1001 {"jmx_port":-1,"timestamp":"1312312312","endpoints":["PLAINTEXTSASL://txxxx.domain.com:9092"],"host":"txxxx.domain.com","version":3,"port":9092}

Hope you find this helpful. :)

Answer 5 · 2020-03-06T08:01:28.000Z

The underlying kafka-python lib supports some SASL setups...