SASL

Simple Authentication and Security Layer

Simple Authentication and Security Layer (SASL) is the default method for mutual authentication used by Axual components. It ensures that the parties at each side of the network connection are who they claim to be by verifying that their provided credentials are correct.

SASL support is implemented in Discovery API and Schema Registry by means of Basic Authentication. The same SASL credentials configured for applications are used to communicate with every service in the platform.

Broker

In order to enable Basic Authentication on the broker, you need to configure the broker to enable SASL. Add or modify the following configuration in the Broker config file for the cluster.

Using Axual Helm Charts

Enable Kafka broker SCRAM SHA-512 listener (Strimzi supports SCRAM-SHA-512 only)

core:
  kafka:
    kafka:
      scramsha512listener:
        enabled: true # default false

For each broker set the following configuration

You can skip this step if you’re running locally with only one broker. The default listener is platform.local:31758

core:
  kafka:
    kafka:
      scramsha512listener:
        enabled: true # default false
        listenerType: loadbalancer # default nodeport
        listenerConfiguration:
            bootstrap:
              # To pass custom annotations on the bootstrap listener service
              annotations: {}
            brokers:
              - broker: 0 # broker ID
                # Advertised host the broker for the external listener
                # In case of external loadbalancer, use your SASL broker host
                # this is unique per broker
                advertisedHost: "[advertisedHost]"
                # Advertised port, default is 9095
                advertisedPort: [advertisedPort]
                # Only needed if `scramsha512listener.listenerType` is set to `nodeport`
                # You must ensure that the port is free and available for use.
                nodePort: [nodePort]
                # To pass custom annotations on the external broker listener service
                annotations: {}
              - broker: 1 # same structure as the broker-0
                # ...
              - broker: 2 # same structure as the broker-0
                # ...

For more information about the different types of listeners, check out this documentation from Strimzi

Upgrade Axual platform using the above modified values.yaml

helm upgrade --install platform axual-stable/platform -f values.yaml --version=<helm-chart-version> -n kafka

Discovery API

SASL support is implemented in Discovery API and Schema Registry by means of basic authentication. The same SASL credentials configured for applications are used to communicating with every service in the platform. Per Basic Authentication, the /v2 endpoint can be accessed by providing an Authentication header (plugged through the Axual Client of your choice).

Make sure Discovery API client truststore has the CA certificate used by Instance API

Instance API

Instance API configuration also need to be updated in order to authorize connections from Discovery API instances. Modify the instance-api.sh file as follows:

platform-config/tenants/{tenant-name}/instances/{instance-name}/instance-api.sh

INSTANCE_API_AUTHORIZED_CNS="'Old-existing-CN,NEW-Discovery-API-client-CN'"

Restart the Instance API after have changed the configuration to apply the changes.

Using Axual Helm Charts

Open the values.yaml for your instance Discovery-API and append the following configurations into the security and tls properties segments:

Enable Basic Authentication

platform/charts/instance/charts/discoveryapi/values.yaml

security:
  (...)
  basicAuth:
    # Enables/Disable basic authentication
    enabled: true # default false
    # Override Instance Manger URL if it runs outside the K8S cluster
    #authenticationUrlOverride: ""
tls:
  (...)
  # Client authentication options
  # need - Client authentication is needed and mandatory
  # want - Client authentication is wanted but not mandatory
  # none - Client authentication is not wanted
  clientAuth: want # default none

From Discovery-API 2.4.0 the variable clientAuth has changed from true/false to need/none/want. Check clientAuth Mapping

Upgrade Axual platform using the above modified values.yaml

helm upgrade --install platform axual-stable/platform -f values.yaml --version=<helm-chart-version> -n kafka

Instance API

Instance API values also need to be updated, in order to authorize the CN of the DA-client-key. Append into the same values.yaml file:

instance:
  instanceapi:
    security:
      enabled: true
      authorizedDns: "EXISTING-CN:MGMT-API-client,NEW-CN:DA-client"

Upgrade Axual platform using the above modified values.yaml

helm upgrade --install platform axual-stable/platform -f values.yaml --version=<helm-chart-version> -n kafka

Schema Registry (slave)

SASL support in Schema Registry (SR) is implemented by means of Basic Authentication. The SR API can be accessed by providing an Authentication header (plugged in by the SR client). The following configuration changes are only effective for the SR slave. The SR master doesn’t need to support basic auth. The user credentials supplied by applications to the Schema-Registry are handed over to Instance-API to perform the authorization check. Since the Instance API endpoints require mTLS authentication, an additional SSL context needs to be created. You will need to supply this configuration, as well.

Make sure that Schema Registry Slave client truststore has the CA certificate used by Instance API

Instance API

Instance API configuration also need to be updated in order to authorize connections from SR instances. Modify the instance-api.sh file as follows:

platform-config/tenants/{tenant-name}/instances/{instance-name}/instance-api.sh

INSTANCE_API_AUTHORIZED_CNS="'Old-existing-CN,NEW-Schema-Registry-client-CN'"

Restart the Instance API after you have changed the configuration to apply the changes.

Using Axual Helm Charts

Open the values.yaml for the platform deployment and append the following configuration:

platform/values.yaml

instance:
  schemaregistry:
    tls:
      slave:
        clientAuthNeed: false # SR cannot support basic auth while enforcing mutual TLS
    security:
      slave:
        basicAuth:
          enabled: true
          ssl:
            enabled: true
            clientKeystore: 'base64 encoded keystore'
            clientKeyPassword: 'plaintext password'
            clientKeystorePassword: 'plaintext password'
            clientTruststore: 'base64 encoded truststore'
            clientTruststorePassword: 'plaintext password'

The instance.schemaregistry.security.slave.basicAuth.ssl block is not required when instance.schemaregistry.tls.slave.automatedKeystores is set to true.

Instance API

Instance API values also need to be updated, in order to authorize the CN of the SR-client-key. Append into the same values.yaml file:

instance:
  instanceapi:
    security:
      enabled: true
      authorizedDns: "EXISTING-CN:MGMT-API-client,NEW-CN:SR-client"

When the instance.schemaregistry.tls.slave.automatedKeystores=true config is set, use the CN of the SR kafka-client certificate, located at instance.schemaregistry.tls.slave.clientCertificatePem.

Upgrade Axual platform using the above modified values.yaml files

helm upgrade --install platform axual-stable/platform -f values.yaml --version=<helm-chart-version> -n kafka

Platform Manager

After your cluster and instance services have been updated to support SASL, you need to allow Platform Manager to use those.

Using Axual Helm Charts

Open the values.yaml for the platform deployment and append the following configuration:

platform/values.yaml

mgmt:
  api:
    axual:
      availableAuthMethods: 'SSL, SCRAM_SHA_512'

Upgrade Axual platform using the above modified values.yaml files

helm upgrade --install platform axual-stable/platform -f values.yaml --version=<helm-chart-version> -n kafka

Now SASL is available, and you can enable SASL for your Tenant.