faust icon indicating copy to clipboard operation
faust copied to clipboard

Published 20 hours ago verified publisher icon robinhood

Connect to kerberized cluster with keytab

Open moinmoin opened this issue 5 years ago • 4 comments

We try to connect to a kerberized Kafka Cluster.

In Java we use a keytab to achieve that, the JAAS File looks like this, we use SASL_SSL and GSSAPI:

KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/schema-registry/username.keytab" debug=true serviceName="kafka" doNotPrompt=true principal="[email protected]"; };

Steps to reproduce

Tell us what you did to cause something to happen.

Expected behavior

Is it possible to do that with faust too?

We try something like this: import ssl ssl_context = ssl.create_default_context( purpose=ssl.Purpose.SERVER_AUTH, cafile='ca.pem') ssl_context.load_cert_chain('client.cert', keyfile='client.key')

app = faust.App( broker_credentials=faust.GSSAPICredentials( kerberos_service_name='faust', kerberos_domain_name='example.com', ssl_context=ssl_context, ), )

We get an Kerberos error, that the "server is not in the list". We wonder, how to supply the kerberos principal in this case. Should this work?

Versions

  • Python version 3.6.8
  • Faust version : 1.9.0
  • Operating system CentOS 7
  • Kafka version 2.2
  • RocksDB version (if applicable)

moinmoin avatar Jan 07 '20 17:01 moinmoin

I have the same question. Any updates on making this work with SASL_SSL and keytabs

metalshanked avatar Aug 07 '20 19:08 metalshanked

@moinmoin @metalshanked did you make it work after all? Or since there is no new info in this issue, can we assume that this feature is currently not available?

poimenidou avatar Apr 12 '21 13:04 poimenidou

We are using Kafka Streams instead, in some cases ksqldb.io

moinmoin avatar Apr 13 '21 12:04 moinmoin

any update on this. We are planning to use faust with SASL_SSL and kerberos keytabs.

mars76 avatar Jul 12 '22 13:07 mars76