diff --git a/docker/rbac-tls/.env b/docker/rbac-tls/.env index a13497d8a..5dc693eb2 100644 --- a/docker/rbac-tls/.env +++ b/docker/rbac-tls/.env @@ -1 +1 @@ -TAG=5.5.0 +TAG=7.1.0 diff --git a/docker/rbac-tls/.gitignore b/docker/rbac-tls/.gitignore new file mode 100644 index 000000000..a45362823 --- /dev/null +++ b/docker/rbac-tls/.gitignore @@ -0,0 +1,2 @@ +etc/kafka +etc/kafka-connect diff --git a/docker/rbac-tls/certs/client.keystore.jks b/docker/rbac-tls/certs/client.keystore.jks index 09c8d63a8..f4fdfe470 100644 Binary files a/docker/rbac-tls/certs/client.keystore.jks and b/docker/rbac-tls/certs/client.keystore.jks differ diff --git a/docker/rbac-tls/certs/client.truststore.jks b/docker/rbac-tls/certs/client.truststore.jks index d14e83816..436fbff22 100644 Binary files a/docker/rbac-tls/certs/client.truststore.jks and b/docker/rbac-tls/certs/client.truststore.jks differ diff --git a/docker/rbac-tls/certs/connect.keystore.jks b/docker/rbac-tls/certs/connect.keystore.jks index 43c3b32eb..655891b91 100644 Binary files a/docker/rbac-tls/certs/connect.keystore.jks and b/docker/rbac-tls/certs/connect.keystore.jks differ diff --git a/docker/rbac-tls/certs/connect.truststore.jks b/docker/rbac-tls/certs/connect.truststore.jks index 7d2d1a2c1..ef2acc5ab 100644 Binary files a/docker/rbac-tls/certs/connect.truststore.jks and b/docker/rbac-tls/certs/connect.truststore.jks differ diff --git a/docker/rbac-tls/certs/connector.keystore.jks b/docker/rbac-tls/certs/connector.keystore.jks index d99f99e37..ca3df4077 100644 Binary files a/docker/rbac-tls/certs/connector.keystore.jks and b/docker/rbac-tls/certs/connector.keystore.jks differ diff --git a/docker/rbac-tls/certs/connector.truststore.jks b/docker/rbac-tls/certs/connector.truststore.jks index bd2096ffb..eefff950b 100644 Binary files a/docker/rbac-tls/certs/connector.truststore.jks and b/docker/rbac-tls/certs/connector.truststore.jks differ diff --git a/docker/rbac-tls/certs/controlcenter.keystore.jks b/docker/rbac-tls/certs/controlcenter.keystore.jks index c32b4a925..bae39552a 100644 Binary files a/docker/rbac-tls/certs/controlcenter.keystore.jks and b/docker/rbac-tls/certs/controlcenter.keystore.jks differ diff --git a/docker/rbac-tls/certs/controlcenter.truststore.jks b/docker/rbac-tls/certs/controlcenter.truststore.jks index 71d41c490..03f2b9e63 100644 Binary files a/docker/rbac-tls/certs/controlcenter.truststore.jks and b/docker/rbac-tls/certs/controlcenter.truststore.jks differ diff --git a/docker/rbac-tls/certs/credentials.txt b/docker/rbac-tls/certs/credentials.txt new file mode 100644 index 000000000..232122736 --- /dev/null +++ b/docker/rbac-tls/certs/credentials.txt @@ -0,0 +1 @@ +confluent diff --git a/docker/rbac-tls/certs/kafka.keystore.jks b/docker/rbac-tls/certs/kafka.keystore.jks index 6e70b0c3b..70d5fb909 100644 Binary files a/docker/rbac-tls/certs/kafka.keystore.jks and b/docker/rbac-tls/certs/kafka.keystore.jks differ diff --git a/docker/rbac-tls/certs/kafka.truststore.jks b/docker/rbac-tls/certs/kafka.truststore.jks index 89bb13651..e4786f8b0 100644 Binary files a/docker/rbac-tls/certs/kafka.truststore.jks and b/docker/rbac-tls/certs/kafka.truststore.jks differ diff --git a/docker/rbac-tls/certs/mds.keystore.jks b/docker/rbac-tls/certs/mds.keystore.jks index 8ae31fb6a..07d0ca96d 100644 Binary files a/docker/rbac-tls/certs/mds.keystore.jks and b/docker/rbac-tls/certs/mds.keystore.jks differ diff --git a/docker/rbac-tls/certs/mds.truststore.jks b/docker/rbac-tls/certs/mds.truststore.jks index 98a4c9e36..1b734c884 100644 Binary files a/docker/rbac-tls/certs/mds.truststore.jks and b/docker/rbac-tls/certs/mds.truststore.jks differ diff --git a/docker/rbac-tls/certs/schemaregistry.keystore.jks b/docker/rbac-tls/certs/schemaregistry.keystore.jks index 25ffccc2a..6abf15277 100644 Binary files a/docker/rbac-tls/certs/schemaregistry.keystore.jks and b/docker/rbac-tls/certs/schemaregistry.keystore.jks differ diff --git a/docker/rbac-tls/certs/schemaregistry.truststore.jks b/docker/rbac-tls/certs/schemaregistry.truststore.jks index c47cf3bc1..70d0bf7e0 100644 Binary files a/docker/rbac-tls/certs/schemaregistry.truststore.jks and b/docker/rbac-tls/certs/schemaregistry.truststore.jks differ diff --git a/docker/rbac-tls/certs/snakeoil-ca-1.crt b/docker/rbac-tls/certs/snakeoil-ca-1.crt index 0be5b2061..29164dc25 100644 --- a/docker/rbac-tls/certs/snakeoil-ca-1.crt +++ b/docker/rbac-tls/certs/snakeoil-ca-1.crt @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDZDCCAkwCCQCaHu0SFAy7tzANBgkqhkiG9w0BAQsFADB0MSIwIAYDVQQDDBlj +MIIDZDCCAkwCCQDXquyTlb1r9jANBgkqhkiG9w0BAQsFADB0MSIwIAYDVQQDDBlj YTEudGVzdC5jb25mbHVlbnRkZW1vLmlvMQ0wCwYDVQQLDARURVNUMRIwEAYDVQQK DAlDT05GTFVFTlQxETAPBgNVBAcMCFBhbG9BbHRvMQswCQYDVQQIDAJDYTELMAkG -A1UEBhMCVVMwHhcNMjEwNDI2MTU1NjMxWhcNMjIwNDI2MTU1NjMxWjB0MSIwIAYD +A1UEBhMCVVMwHhcNMjIwNTA0MTUzNzI0WhcNMjcwNTAzMTUzNzI0WjB0MSIwIAYD VQQDDBljYTEudGVzdC5jb25mbHVlbnRkZW1vLmlvMQ0wCwYDVQQLDARURVNUMRIw EAYDVQQKDAlDT05GTFVFTlQxETAPBgNVBAcMCFBhbG9BbHRvMQswCQYDVQQIDAJD -YTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt -DR+RvNt1VpNlygxjAYkRzkiPwKEPpsSNqa7nb1bUblQRN74dAmdMVGSvMH5Ny9L/ -PuocqqAJeXzu+Eqqd3njXx97YCOKhEN5HQ0Dnjakw9BYWpd93jbV3PJ7tnnXm8jQ -tfPM8VyF+hdbpjowzYNzvZKsaCS20jbahmlOAtGw4v5/kmjsBduPoZ4tAH2OcRqe -DHyDTz6wiM+o7P80Qi/oOku/3wIfvxs6SmyfdeYAVuRhLqa9pK5IWp0VeM7U/XMW -KCIO1dvx62mVGL8DJ6oW1TxcVSArVS+mRcS7N8UjymMQ7erlhzHhanSCZmMa0H8E -1sWimEvBa7yZ+hvSN0afAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJLj/9OaSVy -ky+g27stB/IxzWjQS/CQ05UA8ysn7Q11KR6bK9PLTouDrPiT0Sb0geeCy+h6IvD/ -olSK45upwhfPHTCPP38dZGQ0wbIfv8TzcNmykTAtHUYBfDNYr+4nVSbSZKp5+zO5 -62qxR1aMNvhtRgVkB4oJxerrs9Nd4kgbLyaIEwabmvpN79wlHH6HZTtJYdN8FT5s -SjC9PwRm/z5H4ceArXnXgJeRPgU2Z4Qa+60yDhKGCIoYaNjNDhdo63isLPI6OVTe -2xJhWXsg/OOsw7bVliRvX9zTaqBR2UvbP2oROG5c1+l9m6mXYp4Iysj2kcURU0aV -/ngcGoq5Qhk= +YTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw +PYB4CwRa6p7fhl7Drg7GpapGlwuUqgHXq0KQKcrppT4uCmpxYRoQv+7GQJcRIj3P +HwYraH1TBN8u4u54SY3b1hlrbGAmGAyGAo0l87rq1ybL4YWV1Zeopj9zyT7vYRBV +nekAq3RSBv/1qLIcXZjYYUfF/xQypM8ns8XS7buLZ1K8PRJW6TgGaz6Fnt/yNQ1r +hCxZRL76FYnxcRmdmdGDkVaX5bG9bjG+bEVCH99IbaJnIK0cz50oBuj+xqkFcwOC +6IPApNzeBMhAE0WIB0GSGJRPteSHzilIGvs9/zXs/Es/G06+ked1Xvf/iDYcmrHr +JTNXbwulZFKDru6zvgBTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAH7HVAZtFsBZ +Cpc5WxS/frXmUN58IJIqoqjNyii0oW2ccZfDVAyTqYd7fkCOKgIjPJoZPQ8inahN +EIOAjiUetxdqp7ngSPuCJM9fCrmDb8JNry9ycaoxSrLQbzNiPmmyGV2Z5xYMByC7 +8d60z1m1+zEBRUiUcPLEnvRq2k1mfBMfaLYqFikq33rvcXuml8TChLDt4yrydLyk +mcAA8yy6ZvVTTUB15qHTBleSJvmcUU2S8cR655aLFdiHvJzIGpLWrd/qycmIpHap +WyenEntoDCO+LZ6yKpH/h2ifMdJVIyryKLF6o5wOG+LiKzOT1wkoPaIkfJjDIkPX +qju//PjIEWY= -----END CERTIFICATE----- diff --git a/docker/rbac-tls/certs/snakeoil-ca-1.key b/docker/rbac-tls/certs/snakeoil-ca-1.key deleted file mode 100644 index 389febd2e..000000000 --- a/docker/rbac-tls/certs/snakeoil-ca-1.key +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIjGgAKGaHAQICAggA -MB0GCWCGSAFlAwQBKgQQzRqDXYmCf6FisE1Jf1blWwSCBNATRJo0wkqC8CfjwYAt -uKh+upZvycOFTu1OsSZV7840FRUUkJxvUN27xZetx4zx4khhfV/U/1sHMiPB5l8C -39axKwLUns9zG2MnSAi+bKhVMK59yCd+xw5HanyviDAT3Xj0bbhhA+hx2GRF9pm0 -le83qp2+flIAGSiOoCEJH8Rp1KqIVUzDo22oR2L9xw3GL6fEBlLZCRmj5DW8ZSs5 -yDf3PSZaRrlElvLt2PZmLVeSlvdmBPqO1rNSM16eFAeThwfqy/lWFdepzJLyhKfF -pLqZB4jxaLmD53ef/woz20ldgY3ZA9bMfzRxkeECabZUeTQ0974VxxHZOgCAKikg -VhoAIHrCvzzgFFMH+nxVGh0WRLV4M2WCg2au1SObAyOQ4ynu4e/rRaHx1snplHEU -TcdAX7re2+3zkZVb05D4LW4FAXim8xQ9K2sVnMsmwmTBf7pI8xcLtvsGTrBRVGW7 -Y8Zecwh6B46CjO1vmnMC/8z4xxkC7Joyi845Gcahou/XgpzpVNuAhV4ZJxzd+1aR -dJRes/AltTCtYy8GhbJX+MFjyYjWWhz94EN1Vvk2VyYwdy24KWR1oZpYQ5cayX4M -2wXqfQkLeYkv8JMfhD87yaKa1CyI8ai6p8Hx5xAa0EXv6gnQLwkwayaZjZh6DQv1 -aKuiBUgARjchUBm/yaKEFp2Fr6PoSIWCJc0/9KatqchgiH41uOM7dzTreGXzieEJ -FpbYCyXvrQMVR3IzsN2eqhjqC+X6xueXIG35gbEdLd1OPplUwkNq2NnG+fIO8L3Q -stKnRSqMEdcKq6PfWXDMjuLk9+aRlofA0M1/gD/zJ5QK8vW7DGv+gyIE8ZJDq99z -M2LIR/vkP2x5uSQvQcrwwv2qjfyaePg4UL6UJ1xLWu3ZFiYnJtmOivrk+KSdnCdA -Ar5G7ErUeM5IkOv5DbFaBlPm9SvhIxdLg/rwtyJoVmTlfXNjorlXVqkXxhHiU+3W -xIOF2R4/++A4rKwX5IxBgLr3XfMrAUXmDgdJfxN4gZuACd+tTIB5bRXcDkV1Qc7J -ydo4UtkivmylYzylbxuqS3pPi1GOYu4NaRVgGH/VLc1IeEr9eiqwTglGhUNlTvPs -RXYVzetJ2i4srRbUkqWOA+10vfB5NSrET9YBSDTngmoozqeV9GiS+3PlLgJZc5oq -mJn/5HsC7Boc9z3+Yklyi2FlMbruKdL+tkVQoQKCNCtQ8lQnb3tD3Up4C8ztiVyy -Sa5U1DP3xT1DBNyY+eYS6cN/7KWg1C7dLREdnMdTdWno0apzOCHkD8wUWqHumaai -OJpROA8XCw8BzuoSozrh67b9danJLTpajwzAu+gfnZ72wpMcXsSHUKOr0gkcLbHi -Rwsvg8QRJ7+PAcIpElVWelRQ6ky6pJ3yN5M3GTeP7sueCr4fFmAv6XVxM3yncUMA -h7q98YkUHmfZl2WRf86FUp2KKo1+H6o7hcy6zr3ZOIIDzIoKkrM4kRqDwOqmRh8D -KMBoe4/f3n7CZi0qv5YEIj1umWyLiI1M+lc/l7XxRvu3h9FVfFl5o7F3prA2uMjm -CtwuF6X1B5waELnLyZX03o7HbN0R48ioWJuXK8C7qA+L4yeDa6vfgLNuSXiHWaK0 -on8dEUb6LdlWc1uZ451+dgRFXQ== ------END ENCRYPTED PRIVATE KEY----- diff --git a/docker/rbac-tls/certs/thusnelda.keystore.jks b/docker/rbac-tls/certs/thusnelda.keystore.jks index 96bf4ae81..fdf16f7d0 100644 Binary files a/docker/rbac-tls/certs/thusnelda.keystore.jks and b/docker/rbac-tls/certs/thusnelda.keystore.jks differ diff --git a/docker/rbac-tls/certs/thusnelda.truststore.jks b/docker/rbac-tls/certs/thusnelda.truststore.jks index c3a4e5f7b..87ad1bd2e 100644 Binary files a/docker/rbac-tls/certs/thusnelda.truststore.jks and b/docker/rbac-tls/certs/thusnelda.truststore.jks differ diff --git a/docker/rbac-tls/certs/zookeeper.keystore.jks b/docker/rbac-tls/certs/zookeeper.keystore.jks index 39a7d0262..3eba71f50 100644 Binary files a/docker/rbac-tls/certs/zookeeper.keystore.jks and b/docker/rbac-tls/certs/zookeeper.keystore.jks differ diff --git a/docker/rbac-tls/certs/zookeeper.truststore.jks b/docker/rbac-tls/certs/zookeeper.truststore.jks index 2138bb9f4..55bfa7b93 100644 Binary files a/docker/rbac-tls/certs/zookeeper.truststore.jks and b/docker/rbac-tls/certs/zookeeper.truststore.jks differ diff --git a/docker/rbac-tls/client-configs/client.properties b/docker/rbac-tls/client-configs/client.properties new file mode 100644 index 000000000..d821b5518 --- /dev/null +++ b/docker/rbac-tls/client-configs/client.properties @@ -0,0 +1,5 @@ +security.protocol=SSL +ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +ssl.truststore.password=confluent +ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +ssl.keystore.password=confluent diff --git a/docker/rbac-tls/client-configs/professor.properties b/docker/rbac-tls/client-configs/professor.properties index fa713e0a3..643e24873 100644 --- a/docker/rbac-tls/client-configs/professor.properties +++ b/docker/rbac-tls/client-configs/professor.properties @@ -1,7 +1,11 @@ sasl.mechanism=OAUTHBEARER -security.protocol=SASL_PLAINTEXT +security.protocol=SASL_SSL sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ username="professor" \ password="professor" \ -metadataServerUrls="http://localhost:8090"; +metadataServerUrls="https://localhost:8090"; +ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +ssl.truststore.password=confluent +#ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +#ssl.keystore.password=confluent \ No newline at end of file diff --git a/docker/rbac-tls/client-configs/thusnelda.properties b/docker/rbac-tls/client-configs/thusnelda.properties new file mode 100644 index 000000000..8a94a9d65 --- /dev/null +++ b/docker/rbac-tls/client-configs/thusnelda.properties @@ -0,0 +1,9 @@ +sasl.mechanism=OAUTHBEARER +security.protocol=SASL_SSL +sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler +sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="professor" password="professor" metadataServerUrls="https://localhost:8090"; + +ssl.truststore.location=/etc/kafka/secrets/thusnelda.truststore.jks +ssl.truststore.password=confluent +ssl.keystore.location=/etc/kafka/secrets/thusnelda.keystore.jks +ssl.keystore.password=confluent diff --git a/docker/rbac-tls/create-basic-roles.sh b/docker/rbac-tls/create-basic-roles.sh index 7eefccb7a..854affa33 100755 --- a/docker/rbac-tls/create-basic-roles.sh +++ b/docker/rbac-tls/create-basic-roles.sh @@ -12,7 +12,7 @@ fi ## Login into MDS CA_CERT=./certs/snakeoil-ca-1.crt -XX_CONFLUENT_USERNAME=professor XX_CONFLUENT_PASSWORD=professor confluent login --ca-cert-path $CA_CERT --url https://localhost:8090 +CONFLUENT_PLATFORM_USERNAME=professor CONFLUENT_PLATFORM_PASSWORD=professor confluent login --ca-cert-path $CA_CERT --url https://localhost:8090 SUPER_USER=professor SUPER_USER_PASSWORD=professor diff --git a/docker/rbac-tls/create-roles.sh b/docker/rbac-tls/create-roles.sh index 1bba922f0..78619ed19 100755 --- a/docker/rbac-tls/create-roles.sh +++ b/docker/rbac-tls/create-roles.sh @@ -11,7 +11,7 @@ if [ -z "$KAFKA_CLUSTER_ID" ]; then fi ## Login into MDS -CA_CERT=certs/snakeoil-ca-1.crt +CA_CERT=../../security/certs/snakeoil-ca-1.crt XX_CONFLUENT_USERNAME=professor XX_CONFLUENT_PASSWORD=professor confluent login --ca-cert-path $CA_CERT --url https://localhost:8090 SUPER_USER=professor @@ -59,7 +59,7 @@ confluent iam rolebinding create \ --schema-registry-cluster-id $SR # ResourceOwner for groups and topics on broker -for resource in Topic:_schemas Group:schema-registry +for resource in Topic:_schemas Group:schema-registry Topic:_confluent-license do confluent iam rolebinding create \ --principal $SR_PRINCIPAL \ @@ -96,6 +96,11 @@ do --kafka-cluster-id $KAFKA_CLUSTER_ID done +confluent iam rolebinding create \ + --principal $CONNECT_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID + ################################### C3 ################################### echo "Creating C3 role bindings" diff --git a/docker/rbac-tls/docker-compose.yml b/docker/rbac-tls/docker-compose.yml index 051ac0043..64d39cf3a 100644 --- a/docker/rbac-tls/docker-compose.yml +++ b/docker/rbac-tls/docker-compose.yml @@ -1,10 +1,11 @@ --- -version: '2.3' +version: '3.5' services: phpldapadmin-service: image: osixia/phpldapadmin:0.7.2 container_name: ldapadmin-service + domainname: test.local environment: - PHPLDAPADMIN_LDAP_HOSTS=openldap ports: @@ -15,15 +16,18 @@ services: openldap: image: rroemhild/test-openldap hostname: openldap + domainname: test.local container_name: openldap ports: - - "10389:10389" + - "389:10389" + - "443:443" privileged: true zookeeper: image: confluentinc/cp-zookeeper:${TAG} hostname: zookeeper container_name: zookeeper + domainname: test.local ports: - "2181:2181" environment: @@ -32,8 +36,9 @@ services: broker: image: confluentinc/cp-server:${TAG} - hostname: broker + hostname: kafka container_name: broker + domainname: test.local networks: default: aliases: @@ -49,22 +54,23 @@ services: - "9093:9093" - "9094:9094" - "9095:9095" + - "9096:9096" volumes: - ./certs/:/etc/kafka/secrets/ - ./conf:/tmp/conf - ./client-configs:/etc/client-configs - - ./kafka/:/etc/kafka/ + - ./etc/kafka/:/etc/kafka/ - ./jvm/:/etc/kafka/jvm/ environment: - KAFKA_LOG4J_LOGGERS: kafka.controller=INFO,kafka.authorizer.logger=DEBUG - KAFKA_LOG4J_ROOT_LOGLEVEL: DEBUG + #KAFKA_LOG4J_LOGGERS: kafka.controller=INFO,kafka.authorizer.logger=DEBUG + #KAFKA_LOG4J_ROOT_LOGLEVEL: DEBUG KAFKA_SUPER_USERS: User:admin;User:kafka;User:professor;User:ANONYMOUS KAFKA_BROKER_ID: 1 KAFKA_ZOOKEEPER_CONNECT: 'zookeeper:2181' KAFKA_CONFLUENT_LICENSE_TOPIC_REPLICATION_FACTOR: 1 KAFKA_CONFLUENT_SCHEMA_REGISTRY_URL: https://schema-registry:8081 - KAFKA_ADVERTISED_LISTENERS: INTERNAL://localhost:9093,EXTERNAL://localhost:9092,TOKEN://localhost:9094,TOKENE://thusnelda:9095 - KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:SSL,EXTERNAL:SSL,TOKEN:SASL_SSL,TOKENE:SASL_SSL + KAFKA_ADVERTISED_LISTENERS: INTERNAL://localhost:9093,EXTERNAL://localhost:9092,TOKEN://broker:9094,TOKENE://thusnelda:9095,EXTERNALS://localhost:9096 + KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:SSL,EXTERNAL:SSL,TOKEN:SASL_SSL,TOKENE:SASL_SSL,EXTERNALS:SASL_SSL KAFKA_SASL_ENABLED_MECHANISMS: OAUTHBEARER # Configure interbroker listener @@ -85,6 +91,13 @@ services: KAFKA_LISTENER_NAME_EXTERNAL_SSL_KEYSTORE_PASSWORD: confluent KAFKA_LISTENER_NAME_EXTERNAL_SSL_KEY_PASSWORD: confluent + KAFKA_LISTENER_NAME_EXTERNALS_SECURITY_PROTOCOL: SSL + KAFKA_LISTENER_NAME_EXTERNALS_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks + KAFKA_LISTENER_NAME_EXTERNALS_SSL_TRUSTSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_EXTERNALS_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.keystore.jks + KAFKA_LISTENER_NAME_EXTERNALS_SSL_KEYSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_EXTERNALS_SSL_KEY_PASSWORD: confluent + KAFKA_LISTENER_NAME_TOKEN_SECURITY_PROTOCOL: SSL KAFKA_LISTENER_NAME_TOKEN_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks KAFKA_LISTENER_NAME_TOKEN_SSL_TRUSTSTORE_PASSWORD: confluent @@ -103,7 +116,7 @@ services: #KAFKA_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=(.*?),.*$$/$$1/,DEFAULT KAFKA_LISTENER_NAME_INTERNAL_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/$$1/ , DEFAULT - KAFKA_LISTENER_NAME_EXTERNAL_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/kafka/ , DEFAULT + KAFKA_LISTENER_NAME_EXTERNAL_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/$$1/ , DEFAULT # Configure token listener KAFKA_LISTENER_NAME_TOKEN_SASL_ENABLED_MECHANISMS: OAUTHBEARER @@ -122,6 +135,14 @@ services: org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ publicKeyPath="/tmp/conf/public.pem"; + KAFKA_LISTENER_NAME_EXTERNALS_SASL_ENABLED_MECHANISMS: OAUTHBEARER + KAFKA_LISTENER_NAME_EXTERNALS_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler + KAFKA_LISTENER_NAME_EXTERNALS_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler + KAFKA_LISTENER_NAME_EXTERNALS_OAUTHBEARER_SASL_JAAS_CONFIG: | + \ + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + publicKeyPath="/tmp/conf/public.pem"; + # CONFIGURE AUTHORIZER KAFKA_AUTHORIZER_CLASS_NAME: io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer KAFKA_CONFLUENT_AUTHORIZER_ACCESS_RULE_PROVIDERS: CONFLUENT,ZK_ACL @@ -181,9 +202,10 @@ services: # ======================= OTHER BROKER STUFF ================================= KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 - SSL_ENABLED_PROTOCOLS: TLSv1.2 - KAFKA_OPTS: " -Djava.security.properties=/etc/kafka/jvm/security-policy.properties" - KAFKA_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + KAFKA_CONFLUENT_BALANCER_ENABLE: 'false' + #SSL_ENABLED_PROTOCOLS: TLSv1.2 + #KAFKA_OPTS: " -Djava.security.properties=/etc/kafka/jvm/security-policy.properties" + #KAFKA_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 # KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0 # CONFLUENT_METRICS_ENABLE: 'true' # CONFLUENT_SUPPORT_CUSTOMER_ID: 'anonymous' @@ -252,8 +274,11 @@ services: SCHEMA_REGISTRY_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 connect: - image: confluentinc/cp-server-connect:${TAG} + build: + context: kafka-connect/ + dockerfile: Dockerfile hostname: connect + domainname: test.local container_name: connect depends_on: - 'broker' @@ -261,6 +286,7 @@ services: - "8083:8083" volumes: - ./certs/:/etc/kafka/secrets/ + - ./etc/kafka-connect/:/etc/kafka-connect/ - ./conf:/tmp/conf - ./jvm/:/etc/kafka/jvm/ environment: @@ -390,7 +416,7 @@ services: -Djavax.net.ssl.trustStorePassword=confluent -Djavax.net.ssl.keyStore=/etc/kafka/secrets/connect.keystore.jks -Djavax.net.ssl.keyStorePassword=confluent - -Djava.security.properties=/etc/kafka/jvm/security-policy.properties + # -Djava.security.properties=/etc/kafka/jvm/security-policy.properties # ========================= SECRET REGISTRY ================================== CONNECT_CONFIG_PROVIDERS: 'secret' CONNECT_CONFIG_PROVIDERS_SECRET_CLASS: 'io.confluent.connect.secretregistry.rbac.config.provider.InternalSecretConfigProvider' @@ -409,8 +435,27 @@ services: username="fry" \ password="fry" \ metadataServerUrls="https://broker:8090"; - CONNECT_SSL_ENABLED_PROTOCOLS: TLSv1.2 - CONNECT_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + #CONNECT_SSL_ENABLED_PROTOCOLS: TLSv1.2 + #CONNECT_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + # ==== CONFLUENT LICENSE MANAGER ==== + CONNECT_CONFLUENT_TOPIC: '_confluent-command' + CONNECT_CONFLUENT_TOPIC_BOOTSTRAP_SERVERS: broker:9094 + CONNECT_CONFLUENT_TOPIC_REPLICATION_FACTOR: 1 + CONNECT_CONFLUENT_TOPIC_SECURITY_PROTOCOL: SASL_SSL + CONNECT_CONFLUENT_TOPIC_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_CONFLUENT_TOPIC_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_CONFLUENT_TOPIC_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_CONFLUENT_TOPIC_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_CONFLUENT_TOPIC_SSL_KEY_PASSWORD: confluent + #CONNECT_CONFLUENT_TOPIC_SSL_ENDPOINT_IDENTIFICATION_ALGORITH: "" + + CONNECT_CONFLUENT_TOPIC_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_CONFLUENT_TOPIC_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_CONFLUENT_TOPIC_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="professor" \ + password="professor" \ + metadataServerUrls="https://broker:8090"; control-center: image: confluentinc/cp-enterprise-control-center:${TAG} @@ -428,7 +473,8 @@ services: - ./jvm/:/etc/kafka/jvm/ environment: # CUB CLASSPATH - CUB_CLASSPATH: '/etc/confluent/docker/docker-utils.jar:/usr/share/java/confluent-control-center/*:/usr/share/java/rest-utils/*:/usr/share/java/confluent-common/*' + #CUB_CLASSPATH: '/etc/confluent/docker/docker-utils.jar:/usr/share/java/confluent-control-center/*:/usr/share/java/rest-utils/*:/usr/share/java/confluent-common/*' + CUB_CLASSPATH: '/usr/share/java/confluent-control-center/*:/usr/share/java/rest-utils/*:/usr/share/java/confluent-common/*:/usr/share/java/confluent-security/kafka-rest/*:/usr/share/java/kafka-rest/:/usr/share/java/cp-base-new/*' # general settings #CONTROL_CENTER_LOG4J_ROOT_LOGLEVEL: DEBUG CONTROL_CENTER_BOOTSTRAP_SERVERS: 'SASL_SSL://broker:9094' @@ -490,3 +536,6 @@ services: CONTROL_CENTER_SSL_ENABLED_PROTOCOLS: TLSv1.2 KAFKA_OPTS: " -Djava.security.properties=/etc/kafka/jvm/security-policy.properties" CONTROL_CENTER_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + +networks: + default: diff --git a/docker/rbac-tls/kafka-connect/Dockerfile b/docker/rbac-tls/kafka-connect/Dockerfile new file mode 100644 index 000000000..22d3468fd --- /dev/null +++ b/docker/rbac-tls/kafka-connect/Dockerfile @@ -0,0 +1,8 @@ +FROM confluentinc/cp-server-connect:6.2.0 + +ENV CONNECT_PLUGIN_PATH="/usr/share/java,/usr/share/confluent-hub-components" + +RUN confluent-hub install --no-prompt confluentinc/kafka-connect-datagen:0.5.0 \ + && confluent-hub install --no-prompt confluentinc/kafka-connect-jdbc:10.2.1 \ + && confluent-hub install --no-prompt debezium/debezium-connector-sqlserver:1.6.0 \ + && confluent-hub install --no-prompt confluentinc/kafka-connect-ibmmq:11.0.8 diff --git a/docker/rbac-tls/kafka/kafka.properties b/docker/rbac-tls/kafka/kafka.properties index 61a75ca71..12d74f5a8 100644 --- a/docker/rbac-tls/kafka/kafka.properties +++ b/docker/rbac-tls/kafka/kafka.properties @@ -1,97 +1,96 @@ -confluent.metadata.server.public.key.path=/tmp/conf/public.pem -listener.name.tokene.ssl.keystore.password=confluent -listener.name.tokene.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler +listener.name.external.ssl.keystore.password=confluent +inter.broker.listener.name=INTERNAL +ldap.com.sun.jndi.ldap.read.timeout=3000 +confluent.metadata.server.token.max.lifetime.ms=3600000 +listener.name.internal.ssl.key.password=confluent +listener.name.internal.ssl.principal.mapping.rules=RULE:^CN=([a-zA-Z0-9.]*).*$/$1/ , DEFAULT +listener.name.external.ssl.key.password=confluent +listener.name.token.oauthbearer.sasl.jaas.config=\ +org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ +publicKeyPath="/tmp/conf/public.pem"; + +listener.name.internal.security.protocol=SSL +listener.name.external.security.protocol=SSL +ldap.java.naming.provider.url=ldap://openldap:10389 listener.name.tokene.oauthbearer.sasl.jaas.config=\ org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ publicKeyPath="/tmp/conf/public.pem"; -confluent.metadata.server.token.max.lifetime.ms=3600000 +listener.name.external.ssl.principal.mapping.rules=RULE:^CN=([a-zA-Z0-9.]*).*$/$1/ , DEFAULT +super.users=User:admin;User:kafka;User:professor;User:ANONYMOUS +ldap.user.object.class=inetOrgPerson +listener.name.token.ssl.keystore.password=confluent +listener.name.token.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler +confluent.license.topic.replication.factor=1 +listener.name.internal.ssl.truststore.password=confluent +metric.reporters=io.confluent.metrics.reporter.ConfluentMetricsReporter ldap.user.search.base=ou=people,dc=planetexpress,dc=com +confluent.metadata.topic.replication.factor=1 +listener.name.internal.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +listener.name.tokene.ssl.key.password=confluent +listener.name.external.ssl.truststore.password=confluent confluent.metadata.server.ssl.truststore.password=confluent -confluent.metadata.server.ssl.keystore.location=/etc/kafka/secrets/mds.keystore.jks -confluent.metadata.server.advertised.listeners=https://broker:8090 -listener.name.external.ssl.principal.mapping.rules=RULE:^CN=([a-zA-Z0-9.]*).*$/kafka/ , DEFAULT +ldap.java.naming.security.principal=cn=admin,dc=planetexpress,dc=com +listener.name.tokene.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler +confluent.metadata.server.token.auth.enable=true +confluent.metadata.server.listeners=https://0.0.0.0:8090 +ldap.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory +listener.name.tokene.ssl.truststore.location=/etc/kafka/secrets/thusnelda.truststore.jks ldap.group.name.attribute=cn -broker.id=1 +listener.name.tokene.security.protocol=SSL +confluent.metadata.server.ssl.key.password=confluent +confluent.metadata.server.ssl.truststore.location=/etc/kafka/secrets/mds.truststore.jks confluent.metadata.server.authentication.method=BEARER -listener.name.internal.ssl.keystore.password=confluent -listener.name.internal.ssl.key.password=confluent -confluent.metadata.server.listeners=https://0.0.0.0:8090 -sasl.enabled.mechanisms=OAUTHBEARER -ldap.java.naming.security.authentication=simple -listener.name.internal.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks -ldap.user.name.attribute=uid -advertised.listeners=INTERNAL://localhost:9093,EXTERNAL://localhost:9092,TOKEN://localhost:9094,TOKENE://thusnelda:9095 +listener.name.external.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks listener.name.token.ssl.truststore.password=confluent -listener.name.tokene.ssl.keystore.location=/etc/kafka/secrets/thusnelda.keystore.jks -listener.name.internal.ssl.truststore.password=confluent -zookeeper.connect=zookeeper:2181 +advertised.listeners=INTERNAL://localhost:9093,EXTERNAL://broker:9092,TOKEN://broker:9094,TOKENE://thusnelda:9095 +confluent.schema.registry.url=https://schema-registry:8081 +sasl.enabled.mechanisms=OAUTHBEARER ldap.group.object.class=group -listener.name.external.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks -confluent.authorizer.access.rule.providers=CONFLUENT,ZK_ACL -super.users=User:admin;User:kafka;User:professor;User:ANONYMOUS -ldap.user.object.class=inetOrgPerson -inter.broker.listener.name=INTERNAL +listener.name.token.security.protocol=SSL +ldap.java.naming.security.credentials=GoodNewsEveryone +listener.name.internal.ssl.keystore.password=confluent listener.name.internal.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks -ssl.client.auth=required -ldap.java.naming.provider.url=ldap://openldap:10389 -listener.name.tokene.security.protocol=SSL -listener.name.tokene.ssl.key.password=confluent +listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL,TOKEN:SASL_SSL,TOKENE:SASL_SSL +ldap.user.memberof.attribute=ou confluent.metadata.server.token.signature.algorithm=RS256 -listener.name.token.security.protocol=SSL -listener.name.external.security.protocol=SSL -confluent.metadata.server.token.key.path=/tmp/conf/keypair.pem -ldap.java.naming.security.principal=cn=admin,dc=planetexpress,dc=com -listener.name.token.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler -ldap.group.search.base=ou=people,dc=planetexpress,dc=com -listener.name.token.oauthbearer.sasl.jaas.config=\ -org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ -publicKeyPath="/tmp/conf/public.pem"; - -confluent.schema.registry.url=https://schema-registry:8081 -listener.name.internal.ssl.principal.mapping.rules=RULE:^CN=([a-zA-Z0-9.]*).*$/$1/ , DEFAULT +confluent.authorizer.group.provider=RBAC +listener.name.tokene.ssl.keystore.password=confluent authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer -confluent.metadata.topic.replication.factor=1 -confluent.metadata.server.ssl.keystore.password=confluent -listener.name.token.sasl.enabled.mechanisms=OAUTHBEARER -listener.name.tokene.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler -ldap.user.memberof.attribute=ou -metric.reporters=io.confluent.metrics.reporter.ConfluentMetricsReporter +listener.name.tokene.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler confluent.metadata.server.authentication.roles=** -confluent.authorizer.group.provider=RBAC listener.name.tokene.ssl.truststore.password=confluent -confluent.metadata.server.ssl.truststore.location=/etc/kafka/secrets/mds.truststore.jks -listener.name.token.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler +confluent.authorizer.access.rule.providers=CONFLUENT,ZK_ACL +broker.id=1 +ldap.java.naming.security.authentication=simple +confluent.metadata.server.ssl.keystore.password=confluent +confluent.metadata.server.ssl.keystore.location=/etc/kafka/secrets/mds.keystore.jks +listener.name.token.ssl.key.password=confluent listener.name.external.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks -confluent.metadata.server.ssl.key.password=confluent -listener.name.external.ssl.keystore.password=confluent -offsets.topic.replication.factor=1 -listener.name.external.ssl.truststore.password=confluent -ldap.com.sun.jndi.ldap.read.timeout=3000 -listener.name.internal.security.protocol=SSL -listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL,TOKEN:SASL_SSL,TOKENE:SASL_SSL -listener.name.external.ssl.key.password=confluent +ssl.cipher.suites=TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +listener.name.token.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +ldap.user.name.attribute=uid +listener.name.token.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler listener.name.token.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks -log.dirs=/var/lib/kafka/data -listener.name.tokene.ssl.truststore.location=/etc/kafka/secrets/thusnelda.truststore.jks -listeners=INTERNAL://0.0.0.0:9093,EXTERNAL://0.0.0.0:9092,TOKEN://0.0.0.0:9094,TOKENE://0.0.0.0:9095 -confluent.metadata.server.token.auth.enable=true -ldap.java.naming.security.credentials=GoodNewsEveryone -listener.name.token.ssl.key.password=confluent -ldap.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory -listener.name.token.ssl.keystore.password=confluent confluent.metadata.server.openapi.enable=true -confluent.license.topic.replication.factor=1 +listeners=INTERNAL://0.0.0.0:9093,EXTERNAL://0.0.0.0:9092,TOKEN://0.0.0.0:9094,TOKENE://0.0.0.0:9095 listener.name.tokene.sasl.enabled.mechanisms=OAUTHBEARER -listener.name.token.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks -ssl.cipher.suites=TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 --%} - -confluent.metrics.reporter.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +zookeeper.connect=zookeeper:2181 +confluent.metadata.server.advertised.listeners=https://broker:8090 +listener.name.token.sasl.enabled.mechanisms=OAUTHBEARER +log.dirs=/var/lib/kafka/data +ldap.group.search.base=ou=people,dc=planetexpress,dc=com +offsets.topic.replication.factor=1 +confluent.metadata.server.public.key.path=/tmp/conf/public.pem +confluent.balancer.enable=true +listener.name.tokene.ssl.keystore.location=/etc/kafka/secrets/thusnelda.keystore.jks +ssl.client.auth=required +confluent.metadata.server.token.key.path=/tmp/conf/keypair.pem confluent.metrics.reporter.topic.replicas=1 -confluent.metrics.reporter.ssl.keystore.password=confluent -confluent.metrics.reporter.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +confluent.metrics.reporter.security.protocol=SSL confluent.metrics.reporter.ssl.truststore.password=confluent -confluent.metrics.reporter.ssl.key.password=confluent confluent.metrics.reporter.bootstrap.servers=localhost:9093 -confluent.metrics.reporter.security.protocol=SSL +confluent.metrics.reporter.ssl.key.password=confluent +confluent.metrics.reporter.ssl.keystore.password=confluent +confluent.metrics.reporter.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +confluent.metrics.reporter.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks diff --git a/docker/rbac-tls/kafka/log4j.properties b/docker/rbac-tls/kafka/log4j.properties index 13fb80ec2..507b990de 100644 --- a/docker/rbac-tls/kafka/log4j.properties +++ b/docker/rbac-tls/kafka/log4j.properties @@ -1,16 +1,16 @@ -log4j.rootLogger=DEBUG, stdout +log4j.rootLogger=INFO, stdout log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n -log4j.logger.kafka.authorizer.logger=DEBUG -log4j.logger.kafka.log.LogCleaner=INFO -log4j.logger.kafka.producer.async.DefaultEventHandler=DEBUG -log4j.logger.kafka.controller=INFO +log4j.logger.kafka=INFO log4j.logger.kafka.network.RequestChannel$=WARN +log4j.logger.kafka.producer.async.DefaultEventHandler=DEBUG log4j.logger.kafka.request.logger=WARN +log4j.logger.kafka.controller=TRACE +log4j.logger.kafka.log.LogCleaner=INFO log4j.logger.state.change.logger=TRACE -log4j.logger.kafka=INFO +log4j.logger.kafka.authorizer.logger=WARN diff --git a/docker/rbac-tls/scripts/create-connector.sh b/docker/rbac-tls/scripts/create-connector.sh new file mode 100755 index 000000000..e318e7cb2 --- /dev/null +++ b/docker/rbac-tls/scripts/create-connector.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +curl -i -X POST -H "Accept:application/json" \ + -u "professor:professor" \ + -k \ + -H "Content-Type:application/json" https://localhost:8083/connectors/ \ + -d '{ + "name": "ibm-mq-source", + "config": { + "connector.class": "io.confluent.connect.ibm.mq.IbmMQSourceConnector", + "kafka.topic": "MyKafkaTopicName", + "mq.hostname": "ibmmq", + "mq.port": "1414", + "mq.transport.type": "client", + "mq.queue.manager": "QM1", + "mq.channel": "DEV.APP.SVRCONN", + "mq.username": "app", + "mq.password": "passw0rd", + "jms.destination.name": "DEV.QUEUE.1", + "jms.destination.type": "queue", + "confluent.license": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJDb25mbHVlbnRQcm9mZXNzaW9uYWxTZXJ2aWNlcyIsImV4cCI6MTcwNDQ5OTIwMCwiaWF0IjoxNjA5ODkxMjAwLCJpc3MiOiJDb25mbHVlbnQiLCJtb25pdG9yaW5nIjp0cnVlLCJuYjQiOjE2MDk5NDQ1MjYsInN1YiI6ImNvbnRyb2wtY2VudGVyIn0.JGa0Thb5zHXfMtZliIo6kCDFrNSCoVygUsYnPZ0Sg9q2nLb-Mo6G14Jd1oX57AYdQIV4V0RnXvKUxfVmNyfXLtTFnIk3rCaQlo_jPg7Hsg9ifOgtIPR4y1yIJs2DQtult_w4xoopAl4PhtoO13CAB9uVfTzcpOto2m4G4DVRMNFKobofVp3iJaDD1cuYeYOSf94chILCGEQ98wEJ-ktBgKtpuIwAisIjBW4F6oVm7chKhILpQ478zz4fkWaU-8xz4jnjVaGqLNmVEqJ5jf7ApMsNxCv5hWbo8_gkCucMg1fcUSzR5FkhkhFfh0o7DZweJJAiZ2Snr2cKNddCVRnLbQ", + "confluent.topic.bootstrap.servers": "broker:9092" + }}' diff --git a/docker/rbac-tls/scripts/delete-connectors.sh b/docker/rbac-tls/scripts/delete-connectors.sh new file mode 100755 index 000000000..3a4dc7f62 --- /dev/null +++ b/docker/rbac-tls/scripts/delete-connectors.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +curl -i -X DELETE -H "Accept:application/json" \ + -u "professor:professor" \ + -k \ + -H "Content-Type:application/json" https://localhost:8083/connectors/ibm-mq-source diff --git a/docker/rbac-tls/scripts/list-connectors.sh b/docker/rbac-tls/scripts/list-connectors.sh new file mode 100755 index 000000000..418163f49 --- /dev/null +++ b/docker/rbac-tls/scripts/list-connectors.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +curl -i -X GET -H "Accept:application/json" \ + -u "professor:professor" \ + -k \ + -H "Content-Type:application/json" https://localhost:8083/connectors/ diff --git a/docker/rbac-tls/scripts/list-topics-als-kafka.sh b/docker/rbac-tls/scripts/list-topics-als-kafka.sh new file mode 100755 index 000000000..f418fda48 --- /dev/null +++ b/docker/rbac-tls/scripts/list-topics-als-kafka.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-topics --bootstrap-server broker:9092 \ + --list \ + --command-config /etc/client-configs/client.properties diff --git a/docker/rbac-tls/scripts/read-als-kafka.sh b/docker/rbac-tls/scripts/read-als-kafka.sh index 7540fef1b..669a2c017 100644 --- a/docker/rbac-tls/scripts/read-als-kafka.sh +++ b/docker/rbac-tls/scripts/read-als-kafka.sh @@ -2,4 +2,4 @@ docker-compose exec broker kafka-console-consumer --bootstrap-server broker:9092 \ --topic test \ - --consumer.config /etc/kafka/client.properties --from-beginning + --consumer.config /etc/client-configs/client.properties --from-beginning diff --git a/docker/rbac-tls/scripts/read-als-professor.sh b/docker/rbac-tls/scripts/read-als-professor.sh index 62fe59dbf..d0c6c005a 100644 --- a/docker/rbac-tls/scripts/read-als-professor.sh +++ b/docker/rbac-tls/scripts/read-als-professor.sh @@ -2,4 +2,4 @@ docker-compose exec broker kafka-console-consumer --bootstrap-server broker:9094 \ --topic test \ - --consumer.config /etc/kafka/professor.properties --from-beginning + --consumer.config /etc/client-configs/professor.properties --from-beginning diff --git a/docker/rbac-tls/scripts/read-als-thusnelda.sh b/docker/rbac-tls/scripts/read-als-thusnelda.sh index dba2863ae..d846330a7 100644 --- a/docker/rbac-tls/scripts/read-als-thusnelda.sh +++ b/docker/rbac-tls/scripts/read-als-thusnelda.sh @@ -2,4 +2,4 @@ docker-compose exec broker kafka-console-consumer --bootstrap-server thusnelda:9095 \ --topic test \ - --consumer.config /etc/kafka/thusnelda.properties --from-beginning + --consumer.config /etc/client-configs/thusnelda.properties --from-beginning diff --git a/docker/rbac-tls/scripts/write-als-kafka.sh b/docker/rbac-tls/scripts/write-als-kafka.sh index 8489659c1..0ef3ccf7e 100644 --- a/docker/rbac-tls/scripts/write-als-kafka.sh +++ b/docker/rbac-tls/scripts/write-als-kafka.sh @@ -2,4 +2,4 @@ docker-compose exec broker kafka-console-producer --broker-list broker:9092 \ --topic test \ - --producer.config /etc/kafka/client.properties + --producer.config /etc/client-configs/client.properties diff --git a/docker/rbac-tls/scripts/write-als-professor.sh b/docker/rbac-tls/scripts/write-als-professor.sh index 18552be81..404f2a3e8 100644 --- a/docker/rbac-tls/scripts/write-als-professor.sh +++ b/docker/rbac-tls/scripts/write-als-professor.sh @@ -2,4 +2,4 @@ docker-compose exec broker kafka-console-producer --broker-list broker:9094 \ --topic test \ - --producer.config /etc/kafka/professor.properties + --producer.config /etc/client-configs/professor.properties diff --git a/docker/rbac-tls/scripts/write-als-thusnelda.sh b/docker/rbac-tls/scripts/write-als-thusnelda.sh index 9c1a6b817..cf1c88a27 100644 --- a/docker/rbac-tls/scripts/write-als-thusnelda.sh +++ b/docker/rbac-tls/scripts/write-als-thusnelda.sh @@ -2,4 +2,4 @@ docker-compose exec broker kafka-console-producer --broker-list thusnelda:9095 \ --topic test-thusnelda \ - --producer.config /etc/kafka/thusnelda.properties + --producer.config /etc/client-configs/thusnelda.properties diff --git a/docker/rbac-tls/show-kafka-id.sh b/docker/rbac-tls/show-kafka-id.sh old mode 100644 new mode 100755 diff --git a/example/jks/client.keystore.jks b/example/jks/client.keystore.jks deleted file mode 100644 index 6e70b0c3b..000000000 Binary files a/example/jks/client.keystore.jks and /dev/null differ diff --git a/example/jks/client.truststore.jks b/example/jks/client.truststore.jks deleted file mode 100644 index 89bb13651..000000000 Binary files a/example/jks/client.truststore.jks and /dev/null differ diff --git a/example/jks/kafka.keystore.jks b/example/jks/kafka.keystore.jks new file mode 100644 index 000000000..70d5fb909 Binary files /dev/null and b/example/jks/kafka.keystore.jks differ diff --git a/example/jks/kafka.truststore.jks b/example/jks/kafka.truststore.jks new file mode 100644 index 000000000..e4786f8b0 Binary files /dev/null and b/example/jks/kafka.truststore.jks differ diff --git a/example/topology-builder-rbac-oauth-tls.properties b/example/topology-builder-rbac-oauth-tls.properties new file mode 100644 index 000000000..6d7e22035 --- /dev/null +++ b/example/topology-builder-rbac-oauth-tls.properties @@ -0,0 +1,23 @@ +topology.builder.access.control.class = com.purbon.kafka.topology.roles.RBACProvider +topology.builder.mds.server = https://localhost:8090 +topology.builder.mds.user = professor +topology.builder.mds.password = professor +topology.builder.mds.kafka.cluster.id = IFfx5-wfQEW9YRmr3Umo4A + +topology.builder.mds.schema.registry.cluster.id = schema-registry-cluster +topology.builder.mds.kafka.connect.cluster.id = connect-cluster +topology.builder.mds.ksqldb.cluster.id = ksqldb + +sasl.mechanism=OAUTHBEARER +security.protocol=SASL_SSL +sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler +sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ +username="professor" \ +password="professor" \ +metadataServerUrls="https://localhost:8090"; +ssl.truststore.location=/Users/pere/work/gitops/kafka-topology-builder/example/jks/kafka.truststore.jks +ssl.truststore.password=confluent +#ssl.keystore.location=/Users/pere/work/gitops/kafka-topology-builder/example/jks/kafka.keystore.jks +#ssl.keystore.password=confluent + +julie.debug.mode=false \ No newline at end of file diff --git a/example/topology-builder-rbac-tls.properties b/example/topology-builder-rbac-tls.properties index 155942fa4..04201d1db 100644 --- a/example/topology-builder-rbac-tls.properties +++ b/example/topology-builder-rbac-tls.properties @@ -9,12 +9,12 @@ topology.builder.mds.kafka.connect.cluster.id = connect-cluster topology.builder.mds.ksqldb.cluster.id = ksqldb security.protocol=SSL -ssl.truststore.location=/Users/pere/work/gitops/kafka-topology-builder/example/jks/client.truststore.jks +ssl.truststore.location=/Users/pere/work/gitops/kafka-topology-builder/example/jks/kafka.truststore.jks #ssl.truststore.location=/example/jks/client.truststore.jks ssl.truststore.password=confluent -ssl.keystore.location=/Users/pere/work/gitops/kafka-topology-builder/example/jks/client.keystore.jks +ssl.keystore.location=/Users/pere/work/gitops/kafka-topology-builder/example/jks/kafka.keystore.jks #ssl.keystore.location=/example/jks/client.keystore.jks ssl.keystore.password=confluent ssl.endpoint.identification.algorithm= -topology.builder.mds.allow.insecure=true +#topology.builder.mds.allow.insecure=true julie.debug.mode=false \ No newline at end of file