Lab: Configure ACLs to Manage Authorization
Lab Exercise: Enable Authorization
Modify your cluster to enable authorization of type simple. Add your KafkaUser client-01 as a superuser. Test your
user still has access.
Strimzi Documentation
To get started: https://strimzi.io/docs/operators/latest/deploying#con-securing-kafka-authorization-str
CR references: https://strimzi.io/docs/operators/latest/configuring#type-KafkaUserAuthorizationSimple-reference
Adding a Superuser
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
# ...
spec:
kafka:
# ...
authorization:
type: simple
superUsers:
- client-01
# ...
Testing your KafkaUser: (method: otc-admin)
Executing this command should print the name and ID of the topic test-0.
$ otc-admin -c /config/cluster-1/client-tls-scram-client01.properties get topic/test-0
Testing your KafkaUser: (method: kafka-console-producer)
Replace MY_NAMESPACE with your personal namespace.
$ kafka-console-producer \
--bootstrap-server cluster-1-kafka-bootstrap.MY_NAMESPACE:9094 \
--producer.config /config/cluster-1/client-tls-scram-client01.properties \
--topic test-0 < /opt/samples/messages_glados_still_alive.txt
Lab Exercise: Adding Fine-Grained Authorization via ACLs
Step 1: Creating a non-super KafkaUser
To enable the evaluation of ACLs, create a new KafkaUser called client-02.
Solution
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
name: client-02
namespace: MY_NAMESPACE
labels:
strimzi.io/cluster: cluster-1
spec:
authentication:
type: scram-sha-512
Step 2: Add a Configuration for the User
Hint
Use the template workspace/exercises/setup_security/setup_acls/cluster-1_client-cfg.configmap.yaml.template to
implement this iteration of your client configuration ConfigMap definition.
Remember to also enter the correct JAAS config for client-tls-scram-client01.properties or the existing entry
in the ConfigMap will be overridden.
Add a new .properties file to your client configuration ConfigMap using the key
client-tls-scram-client02.properties. It should match the configuration for client-01 but contain the correct
JAAS config string. Verify that this user does not have access by trying to describe or publish to the topic test-0.
Client Configuration
Remember replacing YOUR_NAMESPACE and entering the correct JAAS config for client-02
client-tls-scram-client02.properties: |
bootstrap.servers=cluster-2-kafka-bootstrap.strimzi:9094
sasl.mechanism=SCRAM-SHA-512
# enter the content of configmap/client-02.sasl.jaas.config
#sasl.jaas.config=REPLACE ME
security.protocol=SASL_SSL
ssl.truststore.location=/run/secrets/ca/truststore.jks
ssl.truststore.type=JKS
ssl.truststore.password=changeit
parse.key=true
key.separator=:
Testing missing access (method: otc-admin)
Executing this command should print the name and ID of the topic test-0.
$ otc-admin -c /config/cluster-1/client-tls-scram-client02.properties get topic/test-0
Step 3: Authorizing your KafkaUser
Modify the definition of your second KafkaUser client-02 to grant it access to the topic test-0. Your user should:
- be allowed to Describe, Consume and Publish to the topic
test-0 - not be allowed to access other topics
After modifying access for your user, verify your changes by executing a command using the Debug CLI pod.
Strimzi Documentation
https://strimzi.io/docs/operators/latest/deploying#con-securing-client-authorization-str
Solution
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
name: client-02
namespace: MY_NAMESPACE
labels:
strimzi.io/cluster: cluster-1
spec:
authentication:
type: scram-sha-512
authorization:
type: simple
acls:
- resource:
type: topic
name: test-0
patternType: literal
operations:
- Describe
- Read
- Write