Using Fastcapa in a Kerberized Environment
The Fastcapa probe can be used in a Kerberized environment. Follow these additional steps to use Fastcapa with Kerberos. The following assumptions have been made. These might need to be altered to fit your environment.
The Kafka broker is at
kafka1:6667ZooKeeper is at
zookeeper1:2181The Kafka security protocol is
SASL_PLAINTEXTThe keytab used is located at
/etc/security/keytabs/metron.headless.keytabThe service principal is
metron@EXAMPLE.COM
Build Librdkafka with SASL support (
--enable-sasl).wget https://github.com/edenhill/librdkafka/archive/v0.9.4.tar.gz -O - | tar -xz cd librdkafka-0.9.4/ ./configure --prefix=$RDK_PREFIX --enable-sasl make make install
Validate Librdkafka supports SASL. Run the following command and ensure that
saslis returned as a built-in feature.$ examples/rdkafka_example -X builtin.features builtin.features = gzip,snappy,ssl,sasl,regex
If it is not, ensure that you have
libsaslorlibsasl2installed. On CentOS, this can be installed with the following command.yum install -y cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi
Grant access to your Kafka topic. In this example, the Kafka topic is simply named
pcap.$KAFKA_HOME/bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer \ --authorizer-properties zookeeper.connect=zookeeper1:2181 \ --add --allow-principal User:metron --topic pcap
Obtain a Kerberos ticket.
kinit -kt /etc/security/keytabs/metron.headless.keytab metron@EXAMPLE.COM
Add the following additional configuration values to your Fastcapa configuration file.
security.protocol = SASL_PLAINTEXT sasl.kerberos.keytab = /etc/security/keytabs/metron.headless.keytab sasl.kerberos.principal = metron@EXAMPLE.COM
Now run Fastcapa as you normally would. It should have no problem landing packets in your kerberized Kafka broker.