apache
kafka security_protocol Does kafka support SASL_SSL?
Yes, Kafka does support SASL_SSL as one of its security protocols.You need to configure it in the broker's server.properties file, as well as in the clients' configuration. You also need to set up the appropriate authentication mechanisms, such as Kerberos, LDAP, or OAuth, depending on your organization's security requirements.
@liuwenzhi0318 Is your question related to apisix? Do you use apisix as a Kafka proxy and you're wondering does it support SASL_SSL?
@liuwenzhi0318 @macdoor The Kafka logger or pubsub in apisix supports SASL_SSL, but for the time being, no configuration is provided.
SASL_SSL simply means that the client authentication (SASL) is used over a protected connection (SSL) to prevent interception instead of over a plain connection.
@liuwenzhi0318 Would you please provide an example using kafka logger with sasl_ssl?
APISIX uses lua-resty-kafka, which has cosocket ssl options for ssl usage. But APISIX did not export them into the plugin configuration, so you can not use SSL now. Maybe we will add them later.
@macdoor @liuwenzhi0318 Contributions are welcome if you are interested in this feature :)
@moonming I'm interested and have free time, but I have very little development experience with lua+ngx, is this ok?
@moonming I'm interested and have free time, but I have very little development experience with lua+ngx, is this ok?
No worries, @Sn0rt and @kingluo can help you
@moonming I built a test environment, including apisix 3.4.1 development environment, apisix-dashboard 3.0.1, and kafka 3.5.1, and added a log output code to the existing kafka-logger.lua. The current code can support plaintext and sasl_plaintext modes, but it lacks support for sasl_ssl mode. What should I do next?
@moonming I built a test environment, including apisix 3.4.1 development environment, apisix-dashboard 3.0.1, and kafka 3.5.1, and added a log output code to the existing kafka-logger.lua. The current code can support plaintext and sasl_plaintext modes, but it lacks support for sasl_ssl mode. What should I do next?
Pass ssl and ssl_verify to lua-resty-kafka. As said before, SASL_SSL is just SASL over SSL.
@kingluo I added the ssl and ssl_verify parameters in kafka-logger.lua and passed them to the producer, and now I can send kafka messages through ssl
@liuwenzhi0318 If you want to use apisix to proxy kafka, you can refer to https://juejin.cn/post/7114175646502223903 to configure tls parameters in upstream
Due to lack of the reporter's response this issue has been labeled with "no response". It will be close in 3 days if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the [email protected] list. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.
Anyone can let me know, how to supply SSL certificates while using kafka-logger? I updated the kafka-logger code to pass ssl and ssl_verify parameters but getting SSL_read() failed - routines::ssl/tls alert bed certificates.
Configured below directives in config.yaml for client cert, private key and trusted cert:
lua_ssl_trusted_certificate lua_ssl_certificate_key lua_ssl_certificate
Appreciate your help
Hi @Baoyuantop Certificates are basically generated using tool "Microsoft AD CS" (Here we used Venafi) and then CSR goes for CA signing. Those are valid certificates.
Does your Kafka server need to verify client certificates? lua-resty-kafka doesn't seem to support passing client certificates.
ok. So you mean for now there is no solution except if we put any secure tunnel in-between e.g. kafka-proxy.
Thanks for your support @Baoyuantop Lets wait for updates from APISIX