You can use the Fastcapa probe in a Kerberized environment.
The following task assumes that you have configured the
following values. If necessary, change these values to match your environment.
The Kafka
broker is at kafka1:6667
.
ZooKeeper is at
zookeeper1:2181
.
The Kafka security protocol is
SASL_PLAINTEXT
.
The keytab used is located at
/etc/security/keytabs/metron.headless.keytab
.
The service
principal is metron@EXAMPLE.COM
.
-
Build Librdkafka with SASL support (
--enable-sasl
):
wget https://github.com/edenhill/librdkafka/archive/v0.9.4.tar.gz -O - | tar -xz
cd librdkafka-0.9.4/
./configure --prefix=$RDK_PREFIX --enable-sasl
make
make install
-
Verify that Librdkafka supports SASL:
$ examples/rdkafka_example -X builtin.features
builtin.features = gzip,snappy,ssl,sasl,regex
-
If Librdkafka does not support SASL, install
libsasl
or
libsasl2
. Use the following command to install
libsasl
on your CentOS environment:
yum install -y cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi
-
Grant access to your Kafka topic (in this example, named pcap):
$KAFKA_HOME/bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer \
--authorizer-properties zookeeper.connect=zookeeper1:2181 \
--add --allow-principal User:metron --topic pcap
-
Obtain a Kerberos ticket:
kinit -kt /etc/security/keytabs/metron.headless.keytab metron@EXAMPLE.COM
-
Add the following additional configuration values to your Fastcapa configuration
file:
security.protocol = SASL_PLAINTEXT
sasl.kerberos.keytab = /etc/security/keytabs/metron.headless.keytab
sasl.kerberos.principal = metron@EXAMPLE.COM
For example:
$ pycapa --producer \
--interface eth0 \
--kafka-broker kafka1:6667 \
--kafka-topic pcap --max-packets 10 \
-X security.protocol=SASL_PLAINTEXT \
-X sasl.kerberos.keytab=/etc/security/keytabs/metron.headless .keytab \
-X sasl.kerberos.principal=metron-metron@METRONEXAMPLE.COM
INFO:root:Connecting to Kafka; {'sasl.kerberos.principal': 'metron-metron@METRONEXAMPLE.COM', 'group.id': 'ORNLVWJZZUAA', 'security.protocol': 'SASL_PLAINTEXT', 'sasl.kerberos.keytab': '/etc/security/keytabs/metron.headless.keytab', 'bootstrap.servers': 'kafka1:6667'}
INFO:root:Starting packet capture
INFO:root:Waiting for '1' message(s) to flush
INFO:root:'10' packet(s) in, '10' packet(s) out
-
Run Fastcapa