kafdrop icon indicating copy to clipboard operation
kafdrop copied to clipboard

Published 20 hours ago verified publisher icon obsidiandynamics

Added support for AWS MSK IAM

Open mbartusiak opened this issue 4 years ago • 10 comments

AWS announced support for a new SASL mechanism called AWS_MSK_IAM which enables to handle both authentication and authorisation with AWS IAM. I added the dependency on aws-msk-iam-auth to enable support for that mechanism.

More on that: https://aws.amazon.com/blogs/big-data/securing-apache-kafka-is-easy-and-familiar-with-iam-access-control-for-amazon-msk/

mbartusiak avatar May 12 '21 11:05 mbartusiak

Hi there! Any news about this very helpful PR? We really need this feature to use Kafdrop in our managed kafka in AWS with IAM authentication.

fabioformosa avatar Jun 07 '21 15:06 fabioformosa

@mbartusiak Hi, Did you added the client properties to support IAM access control. ssl.truststore.location=<PATH_TO_TRUST_STORE_FILE> security.protocol=SASL_SSL sasl.mechanism=AWS_MSK_IAM sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required; sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMClientCallbackHandler

manee2k6 avatar Jun 09 '21 03:06 manee2k6

@manee2k6 Yes, I passed those client properties and tested successfully that it works for an IAM enabled MSK cluster.

mbartusiak avatar Jun 09 '21 08:06 mbartusiak

@mbartusiak It would be great if you can help me with the steps, i am trying to make changes in code, which is causing issue. Your help here is highly appreciated. email: [email protected] or zoom would do.

manee2k6 avatar Jun 09 '21 10:06 manee2k6

I've followed these steps using the sourcecode of this PR:

  • encoded in base64 this string
security.protocol=SASL_SSL
sasl.mechanism=AWS_MSK_IAM
sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required;
sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMClientCallbackHandler
  • I've set to the kafdrop container the env: KAFKA_PROPERTIES=THE_ENCODED_STRING_AT_THE_PREV_STEP
  • I get the error
ERROR [| kafdrop-admin] o.a.k.c.NetworkClient  : [AdminClient clientId=kafdrop-admin] Connection to node -2 (b-2.xxx.kafka.eu-south-1.amazonaws.com:9098) failed authentication due to: Access denied
WARN [| kafdrop-admin] o.a.k.c.a.i.AdminMetadataManager  : [AdminClient clientId=kafdrop-admin] Metadata update failed due to authentication error

I didn't specify the truststore because I read here https://aws.amazon.com/blogs/big-data/securing-apache-kafka-is-easy-and-familiar-with-iam-access-control-for-amazon-msk/

The ssl.truststore.location is unnecessary if your Java JDK distribution already trusts the TLS certificate of the MSK broker, which should be the case of all standard JDK distributions, because the TLS certificate is public.

Any ideas?

Must these props set?

--kafka.isSecured=true 
--kafka.env=some_env

Even if set, same error

fabioformosa avatar Jun 16 '21 14:06 fabioformosa

any update on this? would be nice to see

laxgoalie392 avatar Oct 19 '21 21:10 laxgoalie392