Security support for mesos-kafka

[CBR09]

Hi, I see mesos-kafka isn't support security, I want to authenticating between broker and producer. For short term, is there any workaround for this, for long term, where is code I need to modify? Thanks

[codenamelxl]

As a drop in solution, you can change this line https://github.com/mesos/kafka/blob/master/src/scala/main/ly/stealth/mesos/kafka/scheduler/mesos/MesosTaskFactory.scala#L95 into defaults += ("listeners" -> s"SSL://:${ reservation.port }") Then, pass configurations for kafka SSL when you create broker. Make sure that you enable interbroker SSL in the config too since we only listen on 1 port.

I'm willing to work on a PR for this to support PLAINTEXT in interbroker connect too. ( Basically, we have to make listeners listen on one more port, right?)

[ror6ax]

I'm interested in this too and willing to pick up some part of the implementation if needed.

[ror6ax]

Hi, anyone is working on it? I'm sort of stuck on enabling PLAINTEXT. I'll appreciate some help with how to approach this.

[steveniemitz]

I can help you conceptually, want to detail what you've tried so far?

[codenamelxl]

@ror6ax As i say, i have only tried to change the listeners in that file to SSL. And it works with SSL flawlessly. However, i think it would be a plus if we can make it listen on both SSL and PLAINTEXT. Namely, we need to make it listens on 2 ports and i doubt this would be an easy change... Haven't taken a close look into it though.

[ror6ax]

@codenamelxl can you please show how do you enable SSL in the config?

[codenamelxl]

@ror6ax Forget what i say earlier. You just have to put appropriate config to set up kafka security like define at : https://kafka.apache.org/documentation/#security_ssl into a file (Ex:server.properties). Then update broker through kafka mesos CLI with flag --options file:server.properties . That's it.