diff --git a/docker/.env b/docker/.env new file mode 100644 index 000000000..a13497d8a --- /dev/null +++ b/docker/.env @@ -0,0 +1 @@ +TAG=5.5.0 diff --git a/docker/rbac-sasl/certs/ca.crt b/docker/rbac-sasl/certs/ca.crt new file mode 100644 index 000000000..e66a2dcea --- /dev/null +++ b/docker/rbac-sasl/certs/ca.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBjCCAu6gAwIBAgIJAMjkZoJ9cjSyMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0uyqRXnT58mVxwQWJdiBu +AjgmFpOvzBR35HrwfRpqW3EgHtw4fsqCA9PxbX2ax4wG9e+1i2OdYsg24fWgh2dY +5REyq/IchGtL7zE/6ED1iWnPO8QggJZ0xSBrTjtyesEK7pyyZ+7VkUGsClZLlear ++E6zenJYFca+RFWyN/nazRUXhQ6fkP8usQPsP6GWT6PjBmO3Ti3suDFC/NTTy3Re +eF7WAvkrUuxFWQtl5PP/Pumvx2zNrTMMHSlsCrIU7TmNGvZCQrCcRiIBmqQ5voiO +THvSo0jbAXde2wAXWPXVv/vz6D0MRwIXZSCEM5HBCdDEl8dKqdbB/N48xzAQhz/F +AgMBAAGjgd4wgdswHQYDVR0OBBYEFG80gaFck0G5BSFtC9DVkvGviXIAMA8GA1Ud +EwEB/wQFMAMBAf8wgYIGA1UdIwR7MHmAFG80gaFck0G5BSFtC9DVkvGviXIAoVak +VDBSMQswCQYDVQQGEwJVSzESMBAGA1UECgwJQ29uZmx1ZW50MQ8wDQYDVQQHDAZM +b25kb24xHjAcBgNVBAMMFWthZmthLmNvbmZsdWVudC5sb2NhbIIJAMjkZoJ9cjSy +MA4GA1UdDwEB/wQEAwIBBjAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcN +AQELBQADggEBANwyw65l8xzNF0U3kZBtmS72xUaEW9fXeeaguC+oEnl5e/gY5Buv +H53KOeIgWnHzyr1yxAiIY3L6FfNbiPT3K0iD/7KAsE16nV8pGA2MSS1PSg3YLSyl +YR8kvzmzg+8uEpK7OmJ+DCfFlgHBbRjlEN06wK4O0fdocc9q7nD+4oAMGMzfzIM/ +V6Im58cB2IQWmqxOsAQJ6G7d/Suw65FVLzwz6Hw5p30OgZcjD8i8o+PIQfjgT/RN +JpO5FHCDGNlaBeZPzB56YR+YKNXVtatpBAhrWbb083s3mBvaP9mrUy8F88m6E6Pw +B4wtxqaSIjxf0bILrS05bu7oX0WO68EAOzI= +-----END CERTIFICATE----- diff --git a/docker/rbac-sasl/certs/ca.key b/docker/rbac-sasl/certs/ca.key new file mode 100644 index 000000000..87f707bdc --- /dev/null +++ b/docker/rbac-sasl/certs/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0uyqRXnT58mVx +wQWJdiBuAjgmFpOvzBR35HrwfRpqW3EgHtw4fsqCA9PxbX2ax4wG9e+1i2OdYsg2 +4fWgh2dY5REyq/IchGtL7zE/6ED1iWnPO8QggJZ0xSBrTjtyesEK7pyyZ+7VkUGs +ClZLlear+E6zenJYFca+RFWyN/nazRUXhQ6fkP8usQPsP6GWT6PjBmO3Ti3suDFC +/NTTy3ReeF7WAvkrUuxFWQtl5PP/Pumvx2zNrTMMHSlsCrIU7TmNGvZCQrCcRiIB +mqQ5voiOTHvSo0jbAXde2wAXWPXVv/vz6D0MRwIXZSCEM5HBCdDEl8dKqdbB/N48 +xzAQhz/FAgMBAAECggEBAJc+jIImc/h8W0E/3uIjBMu3x2eSkFcWspedtnSlfAu6 +02DccZDgmtpa70LHPdbH97vdhfUWXcvIXp+8aYZ5597CQiykow4IsB7PhgpOyMZ1 +09RkxUKo9VLY+L4YLRkE0ASnjmObY7jM+l8OTGKOE264GDtHMx9I5fh0Vtm7Skhz +PHH2g4KYxGzeRks9BX/C+YbT0fvikqrxjoCAYVqEF/uXuhgYS7e50gVTDhmSDalP +iRwEdC7kUSxAk2JJF+vHaSDnqUbRnMwfmDEHgSCDjq/mGbwWRJ4tlVGPM5HFuCMB +OKFsaSw/swVVCerK/5yRQAoXnXKzdRp4q7aUfxT2D0kCgYEA+1l6X7/zEVw9rP26 +imLP0xu8SnQkMH32W4icaVqWaK6FDnpSh8Jp1QfN+NmTlY6dzD3d2HQ0imrNO33t +arkhVmu3nWfCd61v7h2X0XZKemlIm4KnR5cKlwFJxj+sVp1tZz71G30tW9v8MD7W +Knb1kkcKVduz0JMBscZrlimSlgMCgYEA+UJXDYZhPnnn9hofza/Ps2N6O1hl4ZY4 +2BQ2kLJTBxz1ahJhK5drxBqIVTovnxEKYHwhH9NeY7stkpDON+sAe25x27N76gPB +dMzQ6gx6ZMQ9mVR/UZ+tFFOtr+gTGyA+r4pUQ3I/QxEZU/yr2md9dEiWYikjGr0i +cv5AQpRC7JcCgYEAvUPKXzFF0cu4cXv5rFzti1S2OwYrfgxLpu8+gCKDYb4QWS+I +18twL8aZtYn4lMR4VCQ92dDfA1+avPJ9BUD0NoQUFkXcbIu/3fiQqlw9huGil98R +IVo90ilZKRwnJG2UxQrmPFXNAv+qbZXTZNSA5C30PWSbiTI5M2lq9/7D74sCgYAC +EqQor6JlY5wjNspm6nxesIgWsECApMAqQ9jEUUdRetMro6V9OFAkHFhf5RD6UKj2 +bnHUEuzpBWh2nI+qdWDWpe96dT6ljoxwTTe7iokGB3+/o60/X4WP8rYyDUsDYbxD +t3HF8dBG3YCJa0N+mHe5nNTrUg5Brar4q9aa9yKrVwKBgHz4ULU7Plq3oujA87bd ++I4NDLGbadHOaHlGUyY6FqMjeyUfuZVuh9cD2L57KbNLn9z09H8r1m8nJsxzHXv/ +zrhwSYfHdlKrw4DOBquc9pas4fifbyNjMHLrJmHETNL+c3nnlIF6AuRbWb6ypb1F +j5xtE49UPVPCCWeQGGw/vbq2 +-----END PRIVATE KEY----- diff --git a/docker/rbac-sasl/certs/ca.pem b/docker/rbac-sasl/certs/ca.pem new file mode 100644 index 000000000..53f1e1872 --- /dev/null +++ b/docker/rbac-sasl/certs/ca.pem @@ -0,0 +1,52 @@ +-----BEGIN CERTIFICATE----- +MIIEBjCCAu6gAwIBAgIJAMjkZoJ9cjSyMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0uyqRXnT58mVxwQWJdiBu +AjgmFpOvzBR35HrwfRpqW3EgHtw4fsqCA9PxbX2ax4wG9e+1i2OdYsg24fWgh2dY +5REyq/IchGtL7zE/6ED1iWnPO8QggJZ0xSBrTjtyesEK7pyyZ+7VkUGsClZLlear ++E6zenJYFca+RFWyN/nazRUXhQ6fkP8usQPsP6GWT6PjBmO3Ti3suDFC/NTTy3Re +eF7WAvkrUuxFWQtl5PP/Pumvx2zNrTMMHSlsCrIU7TmNGvZCQrCcRiIBmqQ5voiO +THvSo0jbAXde2wAXWPXVv/vz6D0MRwIXZSCEM5HBCdDEl8dKqdbB/N48xzAQhz/F +AgMBAAGjgd4wgdswHQYDVR0OBBYEFG80gaFck0G5BSFtC9DVkvGviXIAMA8GA1Ud +EwEB/wQFMAMBAf8wgYIGA1UdIwR7MHmAFG80gaFck0G5BSFtC9DVkvGviXIAoVak +VDBSMQswCQYDVQQGEwJVSzESMBAGA1UECgwJQ29uZmx1ZW50MQ8wDQYDVQQHDAZM +b25kb24xHjAcBgNVBAMMFWthZmthLmNvbmZsdWVudC5sb2NhbIIJAMjkZoJ9cjSy +MA4GA1UdDwEB/wQEAwIBBjAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcN +AQELBQADggEBANwyw65l8xzNF0U3kZBtmS72xUaEW9fXeeaguC+oEnl5e/gY5Buv +H53KOeIgWnHzyr1yxAiIY3L6FfNbiPT3K0iD/7KAsE16nV8pGA2MSS1PSg3YLSyl +YR8kvzmzg+8uEpK7OmJ+DCfFlgHBbRjlEN06wK4O0fdocc9q7nD+4oAMGMzfzIM/ +V6Im58cB2IQWmqxOsAQJ6G7d/Suw65FVLzwz6Hw5p30OgZcjD8i8o+PIQfjgT/RN +JpO5FHCDGNlaBeZPzB56YR+YKNXVtatpBAhrWbb083s3mBvaP9mrUy8F88m6E6Pw +B4wtxqaSIjxf0bILrS05bu7oX0WO68EAOzI= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0uyqRXnT58mVx +wQWJdiBuAjgmFpOvzBR35HrwfRpqW3EgHtw4fsqCA9PxbX2ax4wG9e+1i2OdYsg2 +4fWgh2dY5REyq/IchGtL7zE/6ED1iWnPO8QggJZ0xSBrTjtyesEK7pyyZ+7VkUGs +ClZLlear+E6zenJYFca+RFWyN/nazRUXhQ6fkP8usQPsP6GWT6PjBmO3Ti3suDFC +/NTTy3ReeF7WAvkrUuxFWQtl5PP/Pumvx2zNrTMMHSlsCrIU7TmNGvZCQrCcRiIB +mqQ5voiOTHvSo0jbAXde2wAXWPXVv/vz6D0MRwIXZSCEM5HBCdDEl8dKqdbB/N48 +xzAQhz/FAgMBAAECggEBAJc+jIImc/h8W0E/3uIjBMu3x2eSkFcWspedtnSlfAu6 +02DccZDgmtpa70LHPdbH97vdhfUWXcvIXp+8aYZ5597CQiykow4IsB7PhgpOyMZ1 +09RkxUKo9VLY+L4YLRkE0ASnjmObY7jM+l8OTGKOE264GDtHMx9I5fh0Vtm7Skhz +PHH2g4KYxGzeRks9BX/C+YbT0fvikqrxjoCAYVqEF/uXuhgYS7e50gVTDhmSDalP +iRwEdC7kUSxAk2JJF+vHaSDnqUbRnMwfmDEHgSCDjq/mGbwWRJ4tlVGPM5HFuCMB +OKFsaSw/swVVCerK/5yRQAoXnXKzdRp4q7aUfxT2D0kCgYEA+1l6X7/zEVw9rP26 +imLP0xu8SnQkMH32W4icaVqWaK6FDnpSh8Jp1QfN+NmTlY6dzD3d2HQ0imrNO33t +arkhVmu3nWfCd61v7h2X0XZKemlIm4KnR5cKlwFJxj+sVp1tZz71G30tW9v8MD7W +Knb1kkcKVduz0JMBscZrlimSlgMCgYEA+UJXDYZhPnnn9hofza/Ps2N6O1hl4ZY4 +2BQ2kLJTBxz1ahJhK5drxBqIVTovnxEKYHwhH9NeY7stkpDON+sAe25x27N76gPB +dMzQ6gx6ZMQ9mVR/UZ+tFFOtr+gTGyA+r4pUQ3I/QxEZU/yr2md9dEiWYikjGr0i +cv5AQpRC7JcCgYEAvUPKXzFF0cu4cXv5rFzti1S2OwYrfgxLpu8+gCKDYb4QWS+I +18twL8aZtYn4lMR4VCQ92dDfA1+avPJ9BUD0NoQUFkXcbIu/3fiQqlw9huGil98R +IVo90ilZKRwnJG2UxQrmPFXNAv+qbZXTZNSA5C30PWSbiTI5M2lq9/7D74sCgYAC +EqQor6JlY5wjNspm6nxesIgWsECApMAqQ9jEUUdRetMro6V9OFAkHFhf5RD6UKj2 +bnHUEuzpBWh2nI+qdWDWpe96dT6ljoxwTTe7iokGB3+/o60/X4WP8rYyDUsDYbxD +t3HF8dBG3YCJa0N+mHe5nNTrUg5Brar4q9aa9yKrVwKBgHz4ULU7Plq3oujA87bd ++I4NDLGbadHOaHlGUyY6FqMjeyUfuZVuh9cD2L57KbNLn9z09H8r1m8nJsxzHXv/ +zrhwSYfHdlKrw4DOBquc9pas4fifbyNjMHLrJmHETNL+c3nnlIF6AuRbWb6ypb1F +j5xtE49UPVPCCWeQGGw/vbq2 +-----END PRIVATE KEY----- diff --git a/docker/rbac-sasl/certs/ca.srl b/docker/rbac-sasl/certs/ca.srl new file mode 100644 index 000000000..a7c39cdce --- /dev/null +++ b/docker/rbac-sasl/certs/ca.srl @@ -0,0 +1 @@ +8D79F8130665E574 diff --git a/docker/rbac-sasl/certs/client.crt b/docker/rbac-sasl/certs/client.crt new file mode 100644 index 000000000..0ff582a1a --- /dev/null +++ b/docker/rbac-sasl/certs/client.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID1TCCAr2gAwIBAgIJAI15+BMGZeVyMA0GCSqGSIb3DQEBBQUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKdN7qJYpPRbX0zStfBA/u ++222HmtLKLxozH7iDfdbt9FWYkQ8ZommSYaP82rcwhSpOkEw8NajyHMGvCN2emYM +fDCjUVhoyvNVEZYUI/eetCYERYbqUQPBIbZEjGuGaam+5YsM04RuWjecq+yR9E9H +hklQsFGAXeRewtzUmGMNUUJQNrQZVFF98HwX6EZ8FSzd7SYvbRIxwcs4QwO+AATy +rQcxvgdXtDyPyTGQ3X4Mv0Kr17tp4q3n5Km5OmFGzdYuplqCkSXnpqVVpapYgj/7 +PxXvgDTy99QfSxNL4Erj8WsnEcbxlnDdAqRDDbbcxMUl3xNNLy0IFp827ZbOA9yp +AgMBAAGjga0wgaowHQYDVR0OBBYEFGXfBpKtF0oDUL4GyuhNcug60e4nMAkGA1Ud +EwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj +YXRlMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjArBgNVHREE +JDAighVrYWZrYS5jb25mbHVlbnQubG9jYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0B +AQUFAAOCAQEAQ8O6Q5wB8MdKc+xI9fBAq74H3fM5M0lbNnvCWpiiTcWlVvPUM0S+ +NV7PFF/bhYvxMzeEoZ6p4XjEUGprdNbuj3jauVdlZTuYR+J/P8fEpUmTqflfcTyk +Eh6t5yF+WQ4THGtg6/wYYhn6xsiNrZZSAHzl35kNjK34fr5rodyeE6Dtea3qAT2Q +GCk4d8U6ijZ+1A4DzqmGZkSynm4jeHMcDHnrtwXw19PtR/vi6vfHDALs0n2SAkWg +reS2orzR95Y6Wy7rh8iEmHUiiManskDzdfz7k4fujcYj2zBo1GL0v9Dhxsj2OVI7 +c4teSweVqgCbuG2WPSD/D5tjfeykF9/jnQ== +-----END CERTIFICATE----- diff --git a/docker/rbac-sasl/certs/client.csr b/docker/rbac-sasl/certs/client.csr new file mode 100644 index 000000000..a03f7a842 --- /dev/null +++ b/docker/rbac-sasl/certs/client.csr @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDVjCCAj4CAQAwUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKdN7qJYpPRbX0zStfBA/u ++222HmtLKLxozH7iDfdbt9FWYkQ8ZommSYaP82rcwhSpOkEw8NajyHMGvCN2emYM +fDCjUVhoyvNVEZYUI/eetCYERYbqUQPBIbZEjGuGaam+5YsM04RuWjecq+yR9E9H +hklQsFGAXeRewtzUmGMNUUJQNrQZVFF98HwX6EZ8FSzd7SYvbRIxwcs4QwO+AATy +rQcxvgdXtDyPyTGQ3X4Mv0Kr17tp4q3n5Km5OmFGzdYuplqCkSXnpqVVpapYgj/7 +PxXvgDTy99QfSxNL4Erj8WsnEcbxlnDdAqRDDbbcxMUl3xNNLy0IFp827ZbOA9yp +AgMBAAGggb4wgbsGCSqGSIb3DQEJDjGBrTCBqjAdBgNVHQ4EFgQUZd8Gkq0XSgNQ +vgbK6E1y6DrR7icwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH +ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG +CCsGAQUFBwMCMCsGA1UdEQQkMCKCFWthZmthLmNvbmZsdWVudC5sb2NhbIIJbG9j +YWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQBZlGoJ8Q1ele55lzaJak8Tt7O12N3b +WDiP+2IXYyzk3VJGFkYpTtmFMW9Rqg1jHTum+A7SrooINxoNxSl/yZTSb7B0eyYY +IFLkvM/3XdKDPIuTfrOxrKpYI5fxdpehZBX68ZrcBfYanig9JYwDz3njtNAnTTun +/KoRtpd6j3TF3RZsbqa9ZJm7iS3D1AX/J+myYXcxWdlU9M0wyswYqh1r4b6qzRHR +P8RBHSpA6b3fuy6bJXiqwf621uMciprfvRd9CjGOOZUfUZ30YmZpcCPTxXjBED9+ +zYQ2WjoFJpw9dw46E0BuUFcqJUk5xQP2sV9yDN18e5C5flzWI4QrqwJM +-----END CERTIFICATE REQUEST----- diff --git a/docker/rbac-sasl/certs/client.key b/docker/rbac-sasl/certs/client.key new file mode 100644 index 000000000..8738ba466 --- /dev/null +++ b/docker/rbac-sasl/certs/client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKdN7qJYpPRbX0 +zStfBA/u+222HmtLKLxozH7iDfdbt9FWYkQ8ZommSYaP82rcwhSpOkEw8NajyHMG +vCN2emYMfDCjUVhoyvNVEZYUI/eetCYERYbqUQPBIbZEjGuGaam+5YsM04RuWjec +q+yR9E9HhklQsFGAXeRewtzUmGMNUUJQNrQZVFF98HwX6EZ8FSzd7SYvbRIxwcs4 +QwO+AATyrQcxvgdXtDyPyTGQ3X4Mv0Kr17tp4q3n5Km5OmFGzdYuplqCkSXnpqVV +papYgj/7PxXvgDTy99QfSxNL4Erj8WsnEcbxlnDdAqRDDbbcxMUl3xNNLy0IFp82 +7ZbOA9ypAgMBAAECggEBAKPR6caBVedLOy65Dc02lkYEgQQKnTsV3U7XmhwEvREk +Lmm93gUZ22wItq+ogeHb0agVkUauup+QxTK/7doitIyJuTmNywIQptFBB7WIXQe4 +McLnF4Jmx6jxRHE3RpJe0ZG8X8WjKde5fKJzo1t+2t+/U3fNFEXQs8fR2arVG+Fb +XKPXyxDj8Jxv73dH2ciwkm2yNtThtXAm36rwFSJP3eA8SQ4lKikNsC3z/tPUzZtu +0h8eHmQaCdOLVDvBWjL61WEMmf7zodBonSE1xKd81lJzELdCKpEkp/JABvh/ezHT +yoWnU9PsYVBqGLRVlGeHJafyVAtNQMGbKvl6kpljfAECgYEA7EKmAwfCtVkPseod +Z8opOM0RPPEHuVgpgGDhn18q7x+/5r8YtAD+i4hoOje20/bHTtPsWyUlvFGsqJtU +6EWKuCZbDvTtzg7vP7hU3NpDDAy44HIXasrHWlyKtVhDuLV7ZmSHv/dGqf1oWMG7 +vGP2iHgCHaZnylIoQBIr5WDrDGkCgYEA218yBVfSnm4x4cATzEfNhn2vpAqsAoQ0 +kVA96PCstR6tjXWZYYVOGRdY3yJytY4BisAAyIpeAd3y/fu9QpuIdQiLlQeBEIQP +X+26IPkeJTYgx0mCikiObpXsfmO7XyYiO0is85qe6/4k4EuAm6o7NNCVDzqoKUxk +xtWPPutJRkECgYBV+bcB+UwAxGUywFhtEaNImU+BltDRwORxZFAWuAIevLYP2VC7 +CHWY/022idnNbst+wx4K2QzPaAVl4gjW8Z+Wfda7LaRwTP0BeinfqMmnU+XfP4WI +BjzfhDex4GnciKZcT48a63hame3kBrQzzUjExq82bPzuIlGlZzd0JH3EqQKBgQCI +ymmEj2jURd5w6LbvsO5lqMX3QnhT8WBeJG0Wbc0j+4c5KFWGS/uRBc/zA6YHtA8e +F+/lHPLVszKsUWeIuzdx0uxG97DxPYfgx3pCyVSU25XA7wOpeujl6DLZ9RKHmF3M +HdtK4+WpPoZ8HliJuLLGkjIAlxD4/5vvqId0Mn80gQKBgEtUVzFltd8Yt/u4AbdK +4xA1Zw1XZEfcfEcTfidz8WE5uoJYpChXeJKRsStQ+rA6W6Oxh28sZzytS4UjVtd2 +Sort20M+dApEzJNULzca2PYPHd42lAYccZlHem4sA3dHp6W7j6txJMeKBXTi/23H +fcZCumpWfg8tYvAgQF+/4kBk +-----END PRIVATE KEY----- diff --git a/docker/rbac-sasl/certs/client.keystore.jks b/docker/rbac-sasl/certs/client.keystore.jks new file mode 100644 index 000000000..554fa6c88 Binary files /dev/null and b/docker/rbac-sasl/certs/client.keystore.jks differ diff --git a/docker/rbac-sasl/certs/client.p12 b/docker/rbac-sasl/certs/client.p12 new file mode 100644 index 000000000..689678a6f Binary files /dev/null and b/docker/rbac-sasl/certs/client.p12 differ diff --git a/docker/rbac-sasl/certs/client.pem b/docker/rbac-sasl/certs/client.pem new file mode 100644 index 000000000..10c3fb570 --- /dev/null +++ b/docker/rbac-sasl/certs/client.pem @@ -0,0 +1,89 @@ +Bag Attributes + localKeyID: B2 1E 9F 8C 49 1A 07 B4 40 90 20 AA 36 45 DA A8 90 F6 1B CF + friendlyName: kafka.confluent.local +subject=/C=UK/O=Confluent/L=London/CN=kafka.confluent.local +issuer=/C=UK/O=Confluent/L=London/CN=kafka.confluent.local +-----BEGIN CERTIFICATE----- +MIID1TCCAr2gAwIBAgIJAI15+BMGZeVyMA0GCSqGSIb3DQEBBQUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKdN7qJYpPRbX0zStfBA/u ++222HmtLKLxozH7iDfdbt9FWYkQ8ZommSYaP82rcwhSpOkEw8NajyHMGvCN2emYM +fDCjUVhoyvNVEZYUI/eetCYERYbqUQPBIbZEjGuGaam+5YsM04RuWjecq+yR9E9H +hklQsFGAXeRewtzUmGMNUUJQNrQZVFF98HwX6EZ8FSzd7SYvbRIxwcs4QwO+AATy +rQcxvgdXtDyPyTGQ3X4Mv0Kr17tp4q3n5Km5OmFGzdYuplqCkSXnpqVVpapYgj/7 +PxXvgDTy99QfSxNL4Erj8WsnEcbxlnDdAqRDDbbcxMUl3xNNLy0IFp827ZbOA9yp +AgMBAAGjga0wgaowHQYDVR0OBBYEFGXfBpKtF0oDUL4GyuhNcug60e4nMAkGA1Ud +EwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj +YXRlMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjArBgNVHREE +JDAighVrYWZrYS5jb25mbHVlbnQubG9jYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0B +AQUFAAOCAQEAQ8O6Q5wB8MdKc+xI9fBAq74H3fM5M0lbNnvCWpiiTcWlVvPUM0S+ +NV7PFF/bhYvxMzeEoZ6p4XjEUGprdNbuj3jauVdlZTuYR+J/P8fEpUmTqflfcTyk +Eh6t5yF+WQ4THGtg6/wYYhn6xsiNrZZSAHzl35kNjK34fr5rodyeE6Dtea3qAT2Q +GCk4d8U6ijZ+1A4DzqmGZkSynm4jeHMcDHnrtwXw19PtR/vi6vfHDALs0n2SAkWg +reS2orzR95Y6Wy7rh8iEmHUiiManskDzdfz7k4fujcYj2zBo1GL0v9Dhxsj2OVI7 +c4teSweVqgCbuG2WPSD/D5tjfeykF9/jnQ== +-----END CERTIFICATE----- +Bag Attributes: +subject=/C=UK/O=Confluent/L=London/CN=kafka.confluent.local +issuer=/C=UK/O=Confluent/L=London/CN=kafka.confluent.local +-----BEGIN CERTIFICATE----- +MIIEBjCCAu6gAwIBAgIJAMjkZoJ9cjSyMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0uyqRXnT58mVxwQWJdiBu +AjgmFpOvzBR35HrwfRpqW3EgHtw4fsqCA9PxbX2ax4wG9e+1i2OdYsg24fWgh2dY +5REyq/IchGtL7zE/6ED1iWnPO8QggJZ0xSBrTjtyesEK7pyyZ+7VkUGsClZLlear ++E6zenJYFca+RFWyN/nazRUXhQ6fkP8usQPsP6GWT6PjBmO3Ti3suDFC/NTTy3Re +eF7WAvkrUuxFWQtl5PP/Pumvx2zNrTMMHSlsCrIU7TmNGvZCQrCcRiIBmqQ5voiO +THvSo0jbAXde2wAXWPXVv/vz6D0MRwIXZSCEM5HBCdDEl8dKqdbB/N48xzAQhz/F +AgMBAAGjgd4wgdswHQYDVR0OBBYEFG80gaFck0G5BSFtC9DVkvGviXIAMA8GA1Ud +EwEB/wQFMAMBAf8wgYIGA1UdIwR7MHmAFG80gaFck0G5BSFtC9DVkvGviXIAoVak +VDBSMQswCQYDVQQGEwJVSzESMBAGA1UECgwJQ29uZmx1ZW50MQ8wDQYDVQQHDAZM +b25kb24xHjAcBgNVBAMMFWthZmthLmNvbmZsdWVudC5sb2NhbIIJAMjkZoJ9cjSy +MA4GA1UdDwEB/wQEAwIBBjAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcN +AQELBQADggEBANwyw65l8xzNF0U3kZBtmS72xUaEW9fXeeaguC+oEnl5e/gY5Buv +H53KOeIgWnHzyr1yxAiIY3L6FfNbiPT3K0iD/7KAsE16nV8pGA2MSS1PSg3YLSyl +YR8kvzmzg+8uEpK7OmJ+DCfFlgHBbRjlEN06wK4O0fdocc9q7nD+4oAMGMzfzIM/ +V6Im58cB2IQWmqxOsAQJ6G7d/Suw65FVLzwz6Hw5p30OgZcjD8i8o+PIQfjgT/RN +JpO5FHCDGNlaBeZPzB56YR+YKNXVtatpBAhrWbb083s3mBvaP9mrUy8F88m6E6Pw +B4wtxqaSIjxf0bILrS05bu7oX0WO68EAOzI= +-----END CERTIFICATE----- +Bag Attributes + localKeyID: B2 1E 9F 8C 49 1A 07 B4 40 90 20 AA 36 45 DA A8 90 F6 1B CF + friendlyName: kafka.confluent.local +Key Attributes: +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIzK+7fIBmsI4CAggA +MBQGCCqGSIb3DQMHBAjfDj7A+VD9SQSCBMgkHhYnIOhDSaeOYv49mfzdEcgjyPRb +UQ9Q4uwk1uf+TuWOmLo9gAzR/agIKjcowYVVOlFAHQ13g55dwp7c5ISkKLwiNAtl +5Rz/MEDLrc39RHt49tw4SZ5C58gG7qywKMIES3M/EibxLyDSP/veFHego+avnNHh +xQiHQrZ84MhCaNpaWh2yZ+vVzAzvTaJhWDMc8o0ciCq0cW9PwbY8ufphaez0dx46 +5K3Bxx9qyZs1g0M4t2wzbObOlYbh1lsHGxpT6e941JLGSvLwtOitYCa51Dryyon5 +ySqKaIpA4Tzo5aMTstFt3xwYkq5Mf4XR9y6KoH/MUnlxIvtkW/KmnF9WsiwS2cna +H5KQVQ7E8povmIJCRXDIEpgtr/Gs3zaRjm55C3OJJRBkmrpaMPzWrhp1Y6JejDBC ++/RdR9tdNWgBtfpsfpv1QUAXBu3G9apJO8ruOIWNAjAi4ud2yfn6nZ3NYrY6NxNS +pgZUw3rwN11xHlqn3/FOiY5+1L5ECfnz5j6ZN1mHEfDq7okNa/NtYbIZrXtfL0Af +7biB+Bsb2T2oiWxy+qcsFOaOROUE8LZrFORF5JHvW9aKaktRHZ29UCW5MUWv9Jmu +ZFDoaqTyAX1lC2lx6mhaiRpDVS9klFRXT/XgbOIUe3IL0XyUwMpnHEK/dRldGu1e +TZQwkhDO8+mtuzdMlbUdTDH+WItzudtYfAqfi/kyergaiYdArNh0XAaf/9fly+5w +9toWjtmEmnfg7tlzvq032g143ChSfxAs3Q0tx+ZbBDlw60izc5QCRpc9GZEKY4BN +bzuR0bwAwx5wi/6SPpD4i2tU/zHM2iAeQfL/DUqY9xQNX3FbKVUWuL/1hfPdCxha +21RqcUiBmY8yTNm6VZB5cGDGyGIUmiXsq1LTzHJFK/Y/nE0YrbeXrzAe9cWSxfoS +rSdBnzVd73GaVIP+cfb+4VgwIvACFR+s+X8XqfnuZjytEkltzLdoN2kLpp2pShmy +Y+gSKjR+roBrRhG+gmp0/Nn81CQGUzRANQ1J/3lUvqFoG0z1vk/xPLUx7Bcwizfv +1JnYSPtj/PO1g1SK/PeKIPgd/yg11oPAktWI+XqC6nnXe4g5K+G4HvhMLeuIm6qA +i+DCGrXFJe+VyD0r2TRWzj/YZYoaJP6/ezhQxTwk8djVRYA4GrLuhJgmIQx9P7zZ +fyeWMa3GJcZUB6qrNTaKAwirEgJxFuLAL6mJapkmBmWT987RE5JIEAPBFWyWTlj3 +/RCFU8FZkHOFejhFt9Re5TbAUUTmy30u1GDsaapa0t9XzkTVc80EznoxnPxShPHq +7n8BU930TNyqbd4aKDvtfx+46czQWZ+raZ+mfQ9wg1H7UMQ7r4s1t4ZgkJr3h+ts ++WtIacoCeO876qFyH09+DQkG9wimUAKxIQus1nTeXAcMf7AvzFITxYK09mA4PHUN +uGLL6/abN9pg4GywbQgOHo4sPZdxFtjgpobinHovP3semgTrNWBPa4m0d1nLhGgD +zwVfc9ba0054mYV/twOCgFK+ac9Fmwk5RvTyi1f7ZGXKgYAwPLyM/KRxJm2z756K +JQT0pY/1XG4xGHdV3G6kD06pEtqWlEa0YJp3KDMFpDapHRJfHWXWVaIHZjFwbMoZ +2Rc= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/docker/rbac-sasl/certs/local-client.crt b/docker/rbac-sasl/certs/local-client.crt new file mode 100644 index 000000000..9af54385e --- /dev/null +++ b/docker/rbac-sasl/certs/local-client.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDvTCCAqWgAwIBAgIJAI15+BMGZeV0MA0GCSqGSIb3DQEBBQUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUTELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR0wGwYDVQQDDBRLaXJpbC1QaXNrdW5vdi5sb2NhbDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ9MxbO7AK/tGYe8XegxIS3t +ShhqdokCQOaCRPTyNC+m97/gN2HRVyRzZyA0OSooBBvANpfWGYe5JhglRmWIOvPI +flE8RJllfeDUN3gFHxNcpbuhlsvuVWOYHcXkmTt0L+grF+6gupL6ajOGmd3XU+8e +7MoOW/77+diNXP8W4LQShtoycGI9SJTTjCfZ9SvSla87cjaTpbbd75MW6mNJYYwN +RHW7Gwb3N58KGZc0Yx8KE2pS7y8T1kUa7w7Rn+7AgIxYoH0EiTjyIPeO2Anc7FWD +mp6FBmMFRG3vhmpPq5DQDQH1S5WwhJ5+PWlh5wDkuWpzkKi/ZSz/1HwThiM1OJMC +AwEAAaOBljCBkzAdBgNVHQ4EFgQU1uWkeFAuwcx0i9yodk5qqmtWQK8wCQYDVR0T +BAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNh +dGUwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBQGA1UdEQQN +MAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEAHHUUtb5YCm2XPRjYoOdG +dKNPEBOzxl5nRrrqpTc0DyTGzsXDRhrwVUhPWtKNgWc4XBb4rPZ4mwBCaoX4uPh8 +OfjmDti+w33N/iXoz31pGkwzCpsbFY0AxEQXr1z9KEf0jg5K9KufmmAczkVHB/vY +CZW7a/ZFpUdBvIapffpDxaJcWfdj1aTmruiaWSNHhs8cBYfX2reWIPPuWLJC/s1r +DM5fk5oDOmPekIjvQrLRm3ZYgxfrk5z4Vavz7RRnUSpcRTqTZ8b7QyPvYnVnkVKc +lpAeMNi0pIKJnV7O+SZcuIFEaXz+ejLFPWSQEKYH3LI4BVepu7N/P7gZvp80lggz +ZQ== +-----END CERTIFICATE----- diff --git a/docker/rbac-sasl/certs/local-client.csr b/docker/rbac-sasl/certs/local-client.csr new file mode 100644 index 000000000..104ee5bea --- /dev/null +++ b/docker/rbac-sasl/certs/local-client.csr @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDPjCCAiYCAQAwUTELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR0wGwYDVQQDDBRLaXJpbC1QaXNrdW5vdi5sb2NhbDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ9MxbO7AK/tGYe8XegxIS3t +ShhqdokCQOaCRPTyNC+m97/gN2HRVyRzZyA0OSooBBvANpfWGYe5JhglRmWIOvPI +flE8RJllfeDUN3gFHxNcpbuhlsvuVWOYHcXkmTt0L+grF+6gupL6ajOGmd3XU+8e +7MoOW/77+diNXP8W4LQShtoycGI9SJTTjCfZ9SvSla87cjaTpbbd75MW6mNJYYwN +RHW7Gwb3N58KGZc0Yx8KE2pS7y8T1kUa7w7Rn+7AgIxYoH0EiTjyIPeO2Anc7FWD +mp6FBmMFRG3vhmpPq5DQDQH1S5WwhJ5+PWlh5wDkuWpzkKi/ZSz/1HwThiM1OJMC +AwEAAaCBpzCBpAYJKoZIhvcNAQkOMYGWMIGTMB0GA1UdDgQWBBTW5aR4UC7BzHSL +3Kh2Tmqqa1ZArzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdl +bmVyYXRlZCBDZXJ0aWZpY2F0ZTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYI +KwYBBQUHAwIwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IB +AQAif/KD3wZWFZL4xUtjwKcRXm0QsQ07sgapkt+TM6pJxNMSrtTCV367yyqX+/// +JBijEXFXCyGSKVRariCNJBlZPpXT/7EcOafn6z0vFk5Lxy5jIrSKDfQBdQN/D5jA +5hn4clH0HBBa2o6x+D9F60T6O02Me4JUUud366MUlwMDVjF+CN+Uvfv/HPz8pMs0 +W1pU6nkzpafxoWYVdpfbhT6zZVAxvWdu2ZPiAsrh5WMz+Qh1Bf5waJkkew1Fww0x +GQwa2Dkkw7yjxyqHV9khXcsDqL/mRjhybcYwSBKIxjPs8mvAxxqkBuCQH3n+OY9A +OnZcIcEVnZChGpisWlkTxAM+ +-----END CERTIFICATE REQUEST----- diff --git a/docker/rbac-sasl/certs/local-client.key b/docker/rbac-sasl/certs/local-client.key new file mode 100644 index 000000000..d708fa3fd --- /dev/null +++ b/docker/rbac-sasl/certs/local-client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCfTMWzuwCv7RmH +vF3oMSEt7UoYanaJAkDmgkT08jQvpve/4Ddh0Vckc2cgNDkqKAQbwDaX1hmHuSYY +JUZliDrzyH5RPESZZX3g1Dd4BR8TXKW7oZbL7lVjmB3F5Jk7dC/oKxfuoLqS+moz +hpnd11PvHuzKDlv++/nYjVz/FuC0EobaMnBiPUiU04wn2fUr0pWvO3I2k6W23e+T +FupjSWGMDUR1uxsG9zefChmXNGMfChNqUu8vE9ZFGu8O0Z/uwICMWKB9BIk48iD3 +jtgJ3OxVg5qehQZjBURt74ZqT6uQ0A0B9UuVsISefj1pYecA5Llqc5Cov2Us/9R8 +E4YjNTiTAgMBAAECggEAe9sKICr2ZtJ3NiUL8ns4a+gB4yfrj60T3uVMThJ+5snv ++NyQ0tob4fhkJxLTm2ZPg3AYQkexw+f9qWpZ6JlaFK8/H1Q3lfjmPUdi9UsuFTTE +mzUQ9PASrgPYqkOJrEMy+FWBHwUS6zIOHo+51FUWKmYl/xfZCVDKukd3FdKo1PgU +iQn8Rn7g95a1YxLBkXL9RUCuKrp6M7kawRWirvzgcYm5l0ICP6fzXo6zNr6d+0v2 +ZaQa0MzIpGF0/1Vhpbh1yvbT26aJhKZ5hnG9gbiAZddtn9KLsu3mJgc5j8bjrlTS +Nm6rgLkNbF87u15uv80xMnotm+/WR75JEEv7dvkbkQKBgQDO6zWRymOTA/JKp9eQ +qm91iWawp2uWX62WY/iz9WTAAknEMAn571Obq/y2EC+EmkvWg9TJeEqc8DxyQGSf +VDQIu63szEadYZG74b2Z0kTt8eVW1FaLyqyiRdVqXFwAO+lI86/Gy3slp61kohiM +2uQKgDSm8oaZCIUww5RLjTEF+QKBgQDFFfyd4Y/4FPasaF7aESMlVNTLTw55C57n +r1wXAXtFCdc4Q0MlO9yGwq99mE11OupFJt5I+m08j6enOvu9j/j5hMVBPtCTHaXY +qJ5VrVeVvJRs5nYGDM9/L0ZCBWsy7e0ZMmexS77c9wYFTbLqrIGvgSamwsecFvOV +kKatxwXl6wKBgQDAUPzJNEK4McLQgI9qdf6CT+KR7gmhCexdCy3slPe/PmExZzTe +iAI9feyzivefV4mFJ6JuXs96bg7AYfkj3S8/rrBIltRLEpRQ+88tWLGYNmvh+Bk4 +dHdfm2hwIsefsA9zLosBSb57kQ0nq0EGKawp1l8Zi/Bt6+1fFWiPj/swgQKBgQCM +BHLUN8vwk/QryHqaslIl037ace/2Tys1rn/eWE8bXUJp1l99tGmX0/iZYfqlrpWB +S3vgnQm+XNDfHih7JC3eF1WMZPQJkKaipijW9a+j0bYhKBnxcmh4Ez326aKfLCmm +HQlODGIs2dKNMgZKcwQvi7HKB9eILUYgnAPOsfaewQKBgBzJPIxDvqJSImcPthD8 +u2itVigrdDTNzPNmJDsi0RkuW68Bg+PLTrJTclNPhBjKt7PPwWGb9k/uGNZDyy5H +FncMcIvnorPCRvjo3W+V0rFyXswMawZvrWcBTeHb9kXOStrbBQ/1DPrknRuSjF4Q +eWHBgDv2YH1UzcRFjJZ3ZQYV +-----END PRIVATE KEY----- diff --git a/docker/rbac-sasl/certs/local-client.keystore.jks b/docker/rbac-sasl/certs/local-client.keystore.jks new file mode 100644 index 000000000..25434c8d4 Binary files /dev/null and b/docker/rbac-sasl/certs/local-client.keystore.jks differ diff --git a/docker/rbac-sasl/certs/local-client.p12 b/docker/rbac-sasl/certs/local-client.p12 new file mode 100644 index 000000000..69a855d93 Binary files /dev/null and b/docker/rbac-sasl/certs/local-client.p12 differ diff --git a/docker/rbac-sasl/certs/schema-registry-client.crt b/docker/rbac-sasl/certs/schema-registry-client.crt new file mode 100644 index 000000000..80a2e0532 --- /dev/null +++ b/docker/rbac-sasl/certs/schema-registry-client.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID6DCCAtCgAwIBAgIJAI15+BMGZeVzMA0GCSqGSIb3DQEBBQUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowXDELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMSgwJgYDVQQDDB9zY2hlbWEtcmVnaXN0cnkuY29uZmx1 +ZW50LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4XAZo0YY +SOjDxgK0YyABVppkU02MYXXjDKMavR2ind3S+nWo6REYJtRxg8jW/RoEafWuyhZb +BGiKh9QNoX1xBZCk1IFtsavUxvKnzEQzs1Bj4gxgLvuzY0Oac9/N+7oqPLAcQ3tH +Pc1YAbQLyX3ZfXaokGxQ770QGdRgevkqypo5u1+0AEMzBAhqc7EtwxceFdTOgQLn +DS7xmiK5JBm+Km6QlK9hCzCjRfkjfO89XduknuuoYh56+q8Y0dTfAFazFT/n7hgm +AULFKCs57n0lJhZXdt6xJMcvO88iVMSPkWvKAxtNJKgbgfN08yD/1g79u8jZ9mbU +XaiOpWePnpt7zQIDAQABo4G2MIGzMB0GA1UdDgQWBBQ21zB+/jEogXUUZ1gkitI+ +QxMxyzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl +ZCBDZXJ0aWZpY2F0ZTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH +AwIGCCsGAQUFBwMBMCoGA1UdEQQjMCGCH3NjaGVtYS1yZWdpc3RyeS5jb25mbHVl +bnQubG9jYWwwDQYJKoZIhvcNAQEFBQADggEBABH5NnK7v9xO82Fw0OmlO0uH4M2b +wCNtLooU5NSAtE/EXdzE9ibUJvUimQHWOUfkF+5CGcivSIhW4Vaccg5GJuRqeWg4 +Al0/42Xc2152vxgXfqOcpcYCJjSfNIO9cBgvNilxKY9aPfTAsWHLMMgykN+z5BLy +SjRykY9+jQYgNbshypHgFgRSjPmE3hlQkdLI0ZZtX9Cx+YLj/SK0ubDAihE+71/R +Zi8QPaFPb2UIB5sMpeCJU//UcqSl7rlvse0AWc2ew9s69zNAjiY3+qGVU/gROzeP +2TErGvkdbfQKc5t3w3KjbLCbXiCyblBnyk5G8qAdyTmMdhTfZtJ0zdJKN5I= +-----END CERTIFICATE----- diff --git a/docker/rbac-sasl/certs/schema-registry-client.csr b/docker/rbac-sasl/certs/schema-registry-client.csr new file mode 100644 index 000000000..f134b97da --- /dev/null +++ b/docker/rbac-sasl/certs/schema-registry-client.csr @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDaTCCAlECAQAwXDELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMSgwJgYDVQQDDB9zY2hlbWEtcmVnaXN0cnkuY29uZmx1 +ZW50LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4XAZo0YY +SOjDxgK0YyABVppkU02MYXXjDKMavR2ind3S+nWo6REYJtRxg8jW/RoEafWuyhZb +BGiKh9QNoX1xBZCk1IFtsavUxvKnzEQzs1Bj4gxgLvuzY0Oac9/N+7oqPLAcQ3tH +Pc1YAbQLyX3ZfXaokGxQ770QGdRgevkqypo5u1+0AEMzBAhqc7EtwxceFdTOgQLn +DS7xmiK5JBm+Km6QlK9hCzCjRfkjfO89XduknuuoYh56+q8Y0dTfAFazFT/n7hgm +AULFKCs57n0lJhZXdt6xJMcvO88iVMSPkWvKAxtNJKgbgfN08yD/1g79u8jZ9mbU +XaiOpWePnpt7zQIDAQABoIHHMIHEBgkqhkiG9w0BCQ4xgbYwgbMwHQYDVR0OBBYE +FDbXMH7+MSiBdRRnWCSK0j5DEzHLMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8W +HU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMA4GA1UdDwEB/wQEAwIFoDAd +BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwKgYDVR0RBCMwIYIfc2NoZW1h +LXJlZ2lzdHJ5LmNvbmZsdWVudC5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEARxJo +9nA54nryiiHIEKp52Bt8KbQg/JTyGxiXeeafWqpSRzGIC8S+Tm2trE54ZLBMOTds +OREAaYDLriTMxvPtkugWnaS9TB/TegVeT5myecIGWEgRFZRhSpBM7AX/A7aHvVHn +19pSfEPADkjurpyocNltcXQxBeVfpmnxNd+wism28J2IFIDyt7e+/w9M9y40SmrZ +a/9HDB8yzH/iBEvUpZmNv+Wv/J2YrgQH/D3jnxIcebr4TLqF3u/ck5kRq9mnhXdM +96zXP0i7ot0001upD91tEQVO7VQ/qYiL2MMRamEimeXKlUvOdHLCSWIO+CqPOusC +MgT9Ed3B8q8fUwIr5A== +-----END CERTIFICATE REQUEST----- diff --git a/docker/rbac-sasl/certs/schema-registry-client.key b/docker/rbac-sasl/certs/schema-registry-client.key new file mode 100644 index 000000000..a21bf1e8c --- /dev/null +++ b/docker/rbac-sasl/certs/schema-registry-client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhcBmjRhhI6MPG +ArRjIAFWmmRTTYxhdeMMoxq9HaKd3dL6dajpERgm1HGDyNb9GgRp9a7KFlsEaIqH +1A2hfXEFkKTUgW2xq9TG8qfMRDOzUGPiDGAu+7NjQ5pz3837uio8sBxDe0c9zVgB +tAvJfdl9dqiQbFDvvRAZ1GB6+SrKmjm7X7QAQzMECGpzsS3DFx4V1M6BAucNLvGa +IrkkGb4qbpCUr2ELMKNF+SN87z1d26Se66hiHnr6rxjR1N8AVrMVP+fuGCYBQsUo +KznufSUmFld23rEkxy87zyJUxI+Ra8oDG00kqBuB83TzIP/WDv27yNn2ZtRdqI6l +Z4+em3vNAgMBAAECggEBAJY0bMCe6Xtaq2Z5Uttg7cNYJ1RhrREazOcUnbI31qu8 +qt/6GUsA+siUb/XQkX4eIaa/7W/0qTwss3CA13wr6mw8zbZRblcdGC5ea3LsVk45 +V/O7LzLevc17s6NVEReSGKZK6OoFb5g8A1FPNzNPSOQRdYqUwPCbVej/2jDVZ6+J +Bp+EvdDvyrIgM201uEKgiurzORjrCrcUeOo21e05WLpa0S6kaa4GmvTSLE9kcgJu +j9o7YubE06Sc0CeYFVPc8qMLdZEYzwz2ZVotABlkS7L3KyWaYZEKWwjvDLEMNwxz +bUZih+d1Z3I9fG+n+6kOSAfyLqK8krTMHjFb75niu7kCgYEA8ae8uI2tWhNdkKNo +bCEA9mcYCvjpG+fYe5DHbKBJVh0CJS8sFgVGmgKWZG6Y84SnJv3HCX8ZXiMy4SUJ +74mvJ07pSWHn5ZdWgseMyeZKVTD4ofuZ3Skhy2lGUk93gDF+thER0XXj4/S65a5r +qW5pvReeLuKsdsy2TiKWzCdmR/sCgYEA7tHrb+rm0zH18VaRce8MEuh+5oTyIPaO +6zRC38YCEE0wUWeRMoy4F5JQdbdjlqr99FIbVthf+1t8nJTEGxgKdVIarPdwMG70 +0SRlNFj75WJSMOXy9GUywyRgg8Ih/gFqtIOGzVyWYJGuzlgcg1eVBKooNtmNJN2y +G8FJmX1omNcCgYEAoQKT+ZtcT1Hr230lDDaJP6O9H0Jtfwxg7yOt3DCH7HpzfXcK +trlZKzBiKBSQkGBoRtB8F1W5/0EQm3ZkQlfIfjZTtXMoYY8OMyDmK3fnOw/f+X18 +LSFExRUlp54PDzjrJkAFUTxtVOsww+wNC9znUvgziyW4p4cKSNE/DFOMEJUCgYEA +7tD8nu5H5OoRB0WKLGTfrgjQ3bQUbOIiCRI5zYw0hBisOLtYdzRA41FtJEo/TGux +iKCStkWptbHG6s3ZTT69NpTkGBNYHRbXukyq564UN04a4ssQKVUJbhryaM+5Lkg8 +bEcahkIQHoGQTMfPu4fZfNCrZi4m9ra7ZQXkk5jVAAECgYB4VZPWo8gKHe+3+aWl +xDV2tXNFWOZVFPdSlyXuvnbvxXSpGslRp8mM+kdcfwQCkps2fTdoY/QMQsdluTNK +k0S+R5GJapLOXGKKOqy0gk6kZ/hwS2WUR+Zd9n+Ff8wahN+pIkr8r2nNScLV8cFu +seefVl6N0XFKv5KSje+R6OYbqA== +-----END PRIVATE KEY----- diff --git a/docker/rbac-sasl/certs/schema-registry-client.keystore.jks b/docker/rbac-sasl/certs/schema-registry-client.keystore.jks new file mode 100644 index 000000000..a77a620bc Binary files /dev/null and b/docker/rbac-sasl/certs/schema-registry-client.keystore.jks differ diff --git a/docker/rbac-sasl/certs/schema-registry-client.p12 b/docker/rbac-sasl/certs/schema-registry-client.p12 new file mode 100644 index 000000000..2bbd68998 Binary files /dev/null and b/docker/rbac-sasl/certs/schema-registry-client.p12 differ diff --git a/docker/rbac-sasl/certs/server.crt b/docker/rbac-sasl/certs/server.crt new file mode 100644 index 000000000..a2d5c4fe2 --- /dev/null +++ b/docker/rbac-sasl/certs/server.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID3zCCAsegAwIBAgIJAI15+BMGZeVxMA0GCSqGSIb3DQEBBQUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwFOLMKTMmMtjhGiJD9o8p +Ml/yLWXNDyNKzPwROp3KVXp7spwxnXWnuhsZSEszrs8fw09pCfuCoeviiAeTPYzB +AA6bsFNn41D7MrjvMXGdOaEmVUnIc38T+Nb9apndjSvwcbMb/T8aZYasfdHvEWz5 +016KdHY2aIczYbp2FOQXJPqSxzRidrXdI43MPNi5wO5qY4zl3wGLQnWQ4fPwLaZ0 +DE3idfke0FY4OI007CMNq3b25R3rC+2YoBh7gOJ/a+ljHUDm4wipFmZF/QV/wvZg +1Ry1XRVKqs3kwvl7w10C1sBjlo7a/ue8yYscr9B9cEBj/k02HEaN/qR0aEjzSvqR +AgMBAAGjgbcwgbQwHQYDVR0OBBYEFMvVS9wD/8dACTlE+ItXwVzitsHJMAkGA1Ud +EwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj +YXRlMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH +AwIwKwYDVR0RBCQwIoIVa2Fma2EuY29uZmx1ZW50LmxvY2Fsgglsb2NhbGhvc3Qw +DQYJKoZIhvcNAQEFBQADggEBAHeYroKcISv7ycrCw0hQbuL4sOp4g3G6F8ApkIhb +kWHgtB45gft8atu+QS+6dWfbY4ryvLYYijCuvLKZXS7W1VDNGvji+0IPAwZFnzT8 +fx7jsPN1dwCojbPyv63XC/cgUri4JcasfRP6Wj0ZAsprijm3MFIzY4HCVw5CGKT1 +q8+8FN/cpeb2ts28mJufHdf+Bdjqe9ydQvoqRJA2UcNkPo1D3sSD+lXIxuIkME21 +FYSgmkFKfYPiKUndaRk7GnnopelJ7qaImqmXcQha7oUiO0IOJ64GH/ZJeBl1tVKq +raY1nJeJZKPrDVmCB3UuxnaSMPV6yrQpfLLuPkj9nfrdcpA= +-----END CERTIFICATE----- diff --git a/docker/rbac-sasl/certs/server.csr b/docker/rbac-sasl/certs/server.csr new file mode 100644 index 000000000..d91c1420d --- /dev/null +++ b/docker/rbac-sasl/certs/server.csr @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDYDCCAkgCAQAwUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwFOLMKTMmMtjhGiJD9o8p +Ml/yLWXNDyNKzPwROp3KVXp7spwxnXWnuhsZSEszrs8fw09pCfuCoeviiAeTPYzB +AA6bsFNn41D7MrjvMXGdOaEmVUnIc38T+Nb9apndjSvwcbMb/T8aZYasfdHvEWz5 +016KdHY2aIczYbp2FOQXJPqSxzRidrXdI43MPNi5wO5qY4zl3wGLQnWQ4fPwLaZ0 +DE3idfke0FY4OI007CMNq3b25R3rC+2YoBh7gOJ/a+ljHUDm4wipFmZF/QV/wvZg +1Ry1XRVKqs3kwvl7w10C1sBjlo7a/ue8yYscr9B9cEBj/k02HEaN/qR0aEjzSvqR +AgMBAAGggcgwgcUGCSqGSIb3DQEJDjGBtzCBtDAdBgNVHQ4EFgQUy9VL3AP/x0AJ +OUT4i1fBXOK2wckwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH +ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG +CCsGAQUFBwMBBggrBgEFBQcDAjArBgNVHREEJDAighVrYWZrYS5jb25mbHVlbnQu +bG9jYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAdFRHxhp/9BCFT/L3 +K9HMhFYTufIRYHrJQ6xTKbjZuF58lRlSszrfz+e51WomILAxExGcNxOCWWH5vtzH +QHVo47I9y83Y2O9cqZVrFxwRuQToReHQwvAp8WlL4WIlNjDbwavqcuKqtu4+GAUo +pg0z5wCqLQFkAmL8DJniciv9BV1DciWscR243qvCc+2MTVUN5aaXUdPxOvc4tsho +uzE47ebPGCgHHUIFHS24wcahwGvoGqu5qbVP+6EzH7pApbMWyS6ylptSBeYpAEdY +wckvu0jK92nvwlAmPqjHpKp39blWBD6DohOEZgIcAkSFbTWN/XyvpEAJNeLDWae3 +vpMTaQ== +-----END CERTIFICATE REQUEST----- diff --git a/docker/rbac-sasl/certs/server.key b/docker/rbac-sasl/certs/server.key new file mode 100644 index 000000000..967f0d771 --- /dev/null +++ b/docker/rbac-sasl/certs/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwFOLMKTMmMtjh +GiJD9o8pMl/yLWXNDyNKzPwROp3KVXp7spwxnXWnuhsZSEszrs8fw09pCfuCoevi +iAeTPYzBAA6bsFNn41D7MrjvMXGdOaEmVUnIc38T+Nb9apndjSvwcbMb/T8aZYas +fdHvEWz5016KdHY2aIczYbp2FOQXJPqSxzRidrXdI43MPNi5wO5qY4zl3wGLQnWQ +4fPwLaZ0DE3idfke0FY4OI007CMNq3b25R3rC+2YoBh7gOJ/a+ljHUDm4wipFmZF +/QV/wvZg1Ry1XRVKqs3kwvl7w10C1sBjlo7a/ue8yYscr9B9cEBj/k02HEaN/qR0 +aEjzSvqRAgMBAAECggEAH5if2eLKuuAE6t+1plxn9AyGCv76dYFx48pEsRLDnbsY +73ltbbnDkwViN3cxh2Sm5hw187NG3noPyeZ+9Xzl9Pv9oxJQ5SN1NJ41cTZ+HKhq +smY7hyyycPMGIRMv6QGcENlWOn+HA0WUlP8+3JdT5sB3BoE/dSPsntu6idXV2BEO +XcT2/+xXefroMTWUzteaWOSksACKAQeQfUf/n9vlO41gaS50PFurbN6om7MgvDdR +odyy8mfLZlkIfDn37bQevF4HHoxXFMfEM03OwCNyytaH01PjyBFk0fTdTfqtNXhN ++SjKtP/12cL0vk/bPwFaMSm4VzBPNKomv+iViJlMwQKBgQDei8y7J52EApcYFu8+ +xdsNE/pT+RDIFSbyyGjjBEY9cSMQ+ewFqBZNWGzPvCgFmBFxmOKNjmYKXx4nz+s+ +Hs5Sx5q4ogzFQJWlPIutEUew+uI00u7o/KqBBUFcVcxpbWX84MMfP9bf0P66ho8f +ld1yLuSyIQdqCBBloZuG1PQ8YwKBgQDKjQBKc4xoZioxLYPOGfDTZQ/DGUYrfsfi +zufkhDVRg2BxtQPped0LIFwqQ5GwdLrO1SoqVGc90qmr8Ne6gGWW8fVlKkp5BZxs +KL74safKIziB92vtsuUzX9Fj9x5qAJi+QTLJKsWTB3boPkGSR24Iqr1yqOufdmbb +VtHdQpZdewKBgG1p9D0rq/DEST7pv7RwGFNkuBVjBdIpPB3vVEoQxuvcXO4ywczC +KDzctZqomlCtxB3CmdgY46hDvZK7UaAYCz59rl8KJRcxuqEjlFSBg2rK3j40Woun +9bg7OjhIYpiO1a6vXp9VhrJBkYtpLqLLzrUdwwik3n1N+6nL+6gduPqbAoGAfO0s +Yb8UuYtRuJUu9x5Ox8NMTnO3MLp4RG6C3hGg5Q6XnGod6JGuAN/LmJGmOOQ2F72n +zQXTy3C0D4VzOOdaQRgo12WXGz+Xs6oJ50+DgovonVhiK/Arp10Qw4w2KQEHNEj4 +LtT/mOiAsUs8nCEMP7I3OJHxCaA4Xk4VEFeycCMCgYA+9EL5w1gqe9VNY9lM8SC/ +v73Hh4j5J45lzbrcDg23TJ7jJHNNOYcmoHYqsFMuIZkJ5mGwfQV+zya7la34WRWK +zBtdJ2H9aLVV+HtcxfF8b9XTEl0PF2e7/oOC4imJQn4OLyhfQkKLdhKCj003psCa +hcFopBut8iNGfmyLsNbBJg== +-----END PRIVATE KEY----- diff --git a/docker/rbac-sasl/certs/server.keystore.jks b/docker/rbac-sasl/certs/server.keystore.jks new file mode 100644 index 000000000..181bce7d0 Binary files /dev/null and b/docker/rbac-sasl/certs/server.keystore.jks differ diff --git a/docker/rbac-sasl/certs/server.p12 b/docker/rbac-sasl/certs/server.p12 new file mode 100644 index 000000000..8f6534622 Binary files /dev/null and b/docker/rbac-sasl/certs/server.p12 differ diff --git a/docker/rbac-sasl/certs/truststore.jks b/docker/rbac-sasl/certs/truststore.jks new file mode 100644 index 000000000..37f593dda Binary files /dev/null and b/docker/rbac-sasl/certs/truststore.jks differ diff --git a/docker/rbac-tls/.env b/docker/rbac-tls/.env new file mode 100644 index 000000000..a13497d8a --- /dev/null +++ b/docker/rbac-tls/.env @@ -0,0 +1 @@ +TAG=5.5.0 diff --git a/docker/rbac-tls/README.md b/docker/rbac-tls/README.md new file mode 100644 index 000000000..9e8b5ed53 --- /dev/null +++ b/docker/rbac-tls/README.md @@ -0,0 +1,72 @@ +# Confluent RBAC + +## Predefined Roles + +https://docs.confluent.io/current/security/rbac/rbac-predefined-roles.html#rbac-predefined-roles + +*Description*: + +* _super.user_: The purpose of super.user is to have a bootstrap user who can initially grant another user the SystemAdmin role. +* _SystemAdmin_: Provides full access to all scoped resources in the cluster (KSQL cluster, Kafka cluster, or Schema Registry cluster). +* _ClusterAdmin_: Sets up clusters (KSQL cluster, Kafka cluster, or Schema Registry cluster). +* _UserAdmin_: Manages role bindings for users and groups in all clusters managed by MDS. +* _SecurityAdmin_: Enables management of platform-wide security initiatives. +* _Operator_: Provides operational management of clusters and scale applications as needed. +* _ResourceOwner_: Transfers the ownership of critical resources and to scale the ability to manage authorizations for those resources. +* _DeveloperRead, DeveloperWrite, DeveloperManage_: Allows developers to drive the implementation of applications they are working on and manage the content within, especially in development, test, and staging environments. + + +*Examples*: + +| Predefined Role | Plan | +|---|---| +| super.user | Sam is granted full access to all project resources and operations. He will create the initial set of roles for the project. | +| ResourceOwner | Ryan will own all topics with the prefix finance_. He can grant others permission to access and use this resource. In this use case, he is the ResourceOwner for the finance topics. | +| UserAdmin | Uri will manage the users and groups for the project. | +| Operator | Olivia will be responsible for the operational and health management of the platform and applications. | +| ClusterAdmin | Cindy is a member of the Kafka cluster central team. | +| DeveloperRead, DeveloperWrite, DeveloperManage | David will be responsible for developing and managing the application. | + +## Interesting commands + +confluent iam role describe ResourceOwner + +confluent iam role list + +confluent iam rolebinding [command] + +Available Commands: + create Create a role binding. + delete Delete an existing role binding. + list List role bindings. + + +*Get Kafka cluster ID* + docker-compose exec broker zookeeper-shell zookeeper:2181 get /cluster/id + + +### using CLI tools + +docker-compose exec broker kafka-topics --bootstrap-server broker:9092 --list --command-config /etc/client-configs/professor.properties + +```bash +docker-compose exec broker kafka-topics --bootstrap-server broker:9092 --create --topic foo --partitions 1 --replication-factor 1 --command-config /etc/client-configs/fry.properties + +Error while executing topic command : org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [Authorization failed.] +[2019-08-20 14:29:21,562] ERROR java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [Authorization failed.] + at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45) + at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32) + at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89) + at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260) + at kafka.admin.TopicCommand$AdminClientTopicService.createTopic(TopicCommand.scala:190) + at kafka.admin.TopicCommand$TopicService.createTopic(TopicCommand.scala:149) + at kafka.admin.TopicCommand$TopicService.createTopic$(TopicCommand.scala:144) + at kafka.admin.TopicCommand$AdminClientTopicService.createTopic(TopicCommand.scala:172) + at kafka.admin.TopicCommand$.main(TopicCommand.scala:60) + at kafka.admin.TopicCommand.main(TopicCommand.scala) +Caused by: org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [Authorization failed.] + (kafka.admin.TopicCommand$) + ``` + +docker-compose exec broker kafka-console-producer --broker-list broker:9092 --topic source-topic --producer.config /etc/client-configs/professor.properties +docker-compose exec broker kafka-console-consumer --bootstrap-server broker:9092 --topic target-topic --from-beginning --property print.key=true --consumer.config /etc/client-configs/professor.properties diff --git a/docker/rbac-tls/certs/client.keystore.jks b/docker/rbac-tls/certs/client.keystore.jks new file mode 100644 index 000000000..09c8d63a8 Binary files /dev/null and b/docker/rbac-tls/certs/client.keystore.jks differ diff --git a/docker/rbac-tls/certs/client.truststore.jks b/docker/rbac-tls/certs/client.truststore.jks new file mode 100644 index 000000000..d14e83816 Binary files /dev/null and b/docker/rbac-tls/certs/client.truststore.jks differ diff --git a/docker/rbac-tls/certs/connect.keystore.jks b/docker/rbac-tls/certs/connect.keystore.jks new file mode 100644 index 000000000..43c3b32eb Binary files /dev/null and b/docker/rbac-tls/certs/connect.keystore.jks differ diff --git a/docker/rbac-tls/certs/connect.truststore.jks b/docker/rbac-tls/certs/connect.truststore.jks new file mode 100644 index 000000000..7d2d1a2c1 Binary files /dev/null and b/docker/rbac-tls/certs/connect.truststore.jks differ diff --git a/docker/rbac-tls/certs/connector.keystore.jks b/docker/rbac-tls/certs/connector.keystore.jks new file mode 100644 index 000000000..d99f99e37 Binary files /dev/null and b/docker/rbac-tls/certs/connector.keystore.jks differ diff --git a/docker/rbac-tls/certs/connector.truststore.jks b/docker/rbac-tls/certs/connector.truststore.jks new file mode 100644 index 000000000..bd2096ffb Binary files /dev/null and b/docker/rbac-tls/certs/connector.truststore.jks differ diff --git a/docker/rbac-tls/certs/controlcenter.keystore.jks b/docker/rbac-tls/certs/controlcenter.keystore.jks new file mode 100644 index 000000000..c32b4a925 Binary files /dev/null and b/docker/rbac-tls/certs/controlcenter.keystore.jks differ diff --git a/docker/rbac-tls/certs/controlcenter.truststore.jks b/docker/rbac-tls/certs/controlcenter.truststore.jks new file mode 100644 index 000000000..71d41c490 Binary files /dev/null and b/docker/rbac-tls/certs/controlcenter.truststore.jks differ diff --git a/docker/rbac-tls/certs/kafka.keystore.jks b/docker/rbac-tls/certs/kafka.keystore.jks new file mode 100644 index 000000000..6e70b0c3b Binary files /dev/null and b/docker/rbac-tls/certs/kafka.keystore.jks differ diff --git a/docker/rbac-tls/certs/kafka.truststore.jks b/docker/rbac-tls/certs/kafka.truststore.jks new file mode 100644 index 000000000..89bb13651 Binary files /dev/null and b/docker/rbac-tls/certs/kafka.truststore.jks differ diff --git a/docker/rbac-tls/certs/mds.keystore.jks b/docker/rbac-tls/certs/mds.keystore.jks new file mode 100644 index 000000000..8ae31fb6a Binary files /dev/null and b/docker/rbac-tls/certs/mds.keystore.jks differ diff --git a/docker/rbac-tls/certs/mds.truststore.jks b/docker/rbac-tls/certs/mds.truststore.jks new file mode 100644 index 000000000..98a4c9e36 Binary files /dev/null and b/docker/rbac-tls/certs/mds.truststore.jks differ diff --git a/docker/rbac-tls/certs/old/client.keystore.jks b/docker/rbac-tls/certs/old/client.keystore.jks new file mode 100644 index 000000000..e7d398c6e Binary files /dev/null and b/docker/rbac-tls/certs/old/client.keystore.jks differ diff --git a/docker/rbac-tls/certs/old/client.truststore.jks b/docker/rbac-tls/certs/old/client.truststore.jks new file mode 100644 index 000000000..a2caa106e Binary files /dev/null and b/docker/rbac-tls/certs/old/client.truststore.jks differ diff --git a/docker/rbac-tls/certs/old/connect.keystore.jks b/docker/rbac-tls/certs/old/connect.keystore.jks new file mode 100644 index 000000000..2f0848a74 Binary files /dev/null and b/docker/rbac-tls/certs/old/connect.keystore.jks differ diff --git a/docker/rbac-tls/certs/old/connect.truststore.jks b/docker/rbac-tls/certs/old/connect.truststore.jks new file mode 100644 index 000000000..14d59a994 Binary files /dev/null and b/docker/rbac-tls/certs/old/connect.truststore.jks differ diff --git a/docker/rbac-tls/certs/old/connector.keystore.jks b/docker/rbac-tls/certs/old/connector.keystore.jks new file mode 100644 index 000000000..a8922e140 Binary files /dev/null and b/docker/rbac-tls/certs/old/connector.keystore.jks differ diff --git a/docker/rbac-tls/certs/old/connector.truststore.jks b/docker/rbac-tls/certs/old/connector.truststore.jks new file mode 100644 index 000000000..2fd6d7068 Binary files /dev/null and b/docker/rbac-tls/certs/old/connector.truststore.jks differ diff --git a/docker/rbac-tls/certs/old/controlcenter.keystore.jks b/docker/rbac-tls/certs/old/controlcenter.keystore.jks new file mode 100644 index 000000000..b0ccb8312 Binary files /dev/null and b/docker/rbac-tls/certs/old/controlcenter.keystore.jks differ diff --git a/docker/rbac-tls/certs/old/controlcenter.truststore.jks b/docker/rbac-tls/certs/old/controlcenter.truststore.jks new file mode 100644 index 000000000..93e7b7434 Binary files /dev/null and b/docker/rbac-tls/certs/old/controlcenter.truststore.jks differ diff --git a/docker/rbac-tls/certs/old/credentials.txt b/docker/rbac-tls/certs/old/credentials.txt new file mode 100644 index 000000000..232122736 --- /dev/null +++ b/docker/rbac-tls/certs/old/credentials.txt @@ -0,0 +1 @@ +confluent diff --git a/docker/rbac-tls/certs/old/kafka.keystore.jks b/docker/rbac-tls/certs/old/kafka.keystore.jks new file mode 100644 index 000000000..1ffe44454 Binary files /dev/null and b/docker/rbac-tls/certs/old/kafka.keystore.jks differ diff --git a/docker/rbac-tls/certs/old/kafka.truststore.jks b/docker/rbac-tls/certs/old/kafka.truststore.jks new file mode 100644 index 000000000..c515c79a1 Binary files /dev/null and b/docker/rbac-tls/certs/old/kafka.truststore.jks differ diff --git a/docker/rbac-tls/certs/old/mds.keystore.jks b/docker/rbac-tls/certs/old/mds.keystore.jks new file mode 100644 index 000000000..b0ed1965b Binary files /dev/null and b/docker/rbac-tls/certs/old/mds.keystore.jks differ diff --git a/docker/rbac-tls/certs/old/mds.truststore.jks b/docker/rbac-tls/certs/old/mds.truststore.jks new file mode 100644 index 000000000..8afa7402d Binary files /dev/null and b/docker/rbac-tls/certs/old/mds.truststore.jks differ diff --git a/docker/rbac-tls/certs/old/schemaregistry.keystore.jks b/docker/rbac-tls/certs/old/schemaregistry.keystore.jks new file mode 100644 index 000000000..0dee67c0f Binary files /dev/null and b/docker/rbac-tls/certs/old/schemaregistry.keystore.jks differ diff --git a/docker/rbac-tls/certs/old/schemaregistry.truststore.jks b/docker/rbac-tls/certs/old/schemaregistry.truststore.jks new file mode 100644 index 000000000..2572f0723 Binary files /dev/null and b/docker/rbac-tls/certs/old/schemaregistry.truststore.jks differ diff --git a/docker/rbac-tls/certs/old/thusnelda.keystore.jks b/docker/rbac-tls/certs/old/thusnelda.keystore.jks new file mode 100644 index 000000000..e6943ead2 Binary files /dev/null and b/docker/rbac-tls/certs/old/thusnelda.keystore.jks differ diff --git a/docker/rbac-tls/certs/old/thusnelda.truststore.jks b/docker/rbac-tls/certs/old/thusnelda.truststore.jks new file mode 100644 index 000000000..d2ff00a17 Binary files /dev/null and b/docker/rbac-tls/certs/old/thusnelda.truststore.jks differ diff --git a/docker/rbac-tls/certs/schemaregistry.keystore.jks b/docker/rbac-tls/certs/schemaregistry.keystore.jks new file mode 100644 index 000000000..25ffccc2a Binary files /dev/null and b/docker/rbac-tls/certs/schemaregistry.keystore.jks differ diff --git a/docker/rbac-tls/certs/schemaregistry.truststore.jks b/docker/rbac-tls/certs/schemaregistry.truststore.jks new file mode 100644 index 000000000..c47cf3bc1 Binary files /dev/null and b/docker/rbac-tls/certs/schemaregistry.truststore.jks differ diff --git a/docker/rbac-tls/certs/snakeoil-ca-1.crt b/docker/rbac-tls/certs/snakeoil-ca-1.crt new file mode 100644 index 000000000..0be5b2061 --- /dev/null +++ b/docker/rbac-tls/certs/snakeoil-ca-1.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZDCCAkwCCQCaHu0SFAy7tzANBgkqhkiG9w0BAQsFADB0MSIwIAYDVQQDDBlj +YTEudGVzdC5jb25mbHVlbnRkZW1vLmlvMQ0wCwYDVQQLDARURVNUMRIwEAYDVQQK +DAlDT05GTFVFTlQxETAPBgNVBAcMCFBhbG9BbHRvMQswCQYDVQQIDAJDYTELMAkG +A1UEBhMCVVMwHhcNMjEwNDI2MTU1NjMxWhcNMjIwNDI2MTU1NjMxWjB0MSIwIAYD +VQQDDBljYTEudGVzdC5jb25mbHVlbnRkZW1vLmlvMQ0wCwYDVQQLDARURVNUMRIw +EAYDVQQKDAlDT05GTFVFTlQxETAPBgNVBAcMCFBhbG9BbHRvMQswCQYDVQQIDAJD +YTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt +DR+RvNt1VpNlygxjAYkRzkiPwKEPpsSNqa7nb1bUblQRN74dAmdMVGSvMH5Ny9L/ +PuocqqAJeXzu+Eqqd3njXx97YCOKhEN5HQ0Dnjakw9BYWpd93jbV3PJ7tnnXm8jQ +tfPM8VyF+hdbpjowzYNzvZKsaCS20jbahmlOAtGw4v5/kmjsBduPoZ4tAH2OcRqe +DHyDTz6wiM+o7P80Qi/oOku/3wIfvxs6SmyfdeYAVuRhLqa9pK5IWp0VeM7U/XMW +KCIO1dvx62mVGL8DJ6oW1TxcVSArVS+mRcS7N8UjymMQ7erlhzHhanSCZmMa0H8E +1sWimEvBa7yZ+hvSN0afAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJLj/9OaSVy +ky+g27stB/IxzWjQS/CQ05UA8ysn7Q11KR6bK9PLTouDrPiT0Sb0geeCy+h6IvD/ +olSK45upwhfPHTCPP38dZGQ0wbIfv8TzcNmykTAtHUYBfDNYr+4nVSbSZKp5+zO5 +62qxR1aMNvhtRgVkB4oJxerrs9Nd4kgbLyaIEwabmvpN79wlHH6HZTtJYdN8FT5s +SjC9PwRm/z5H4ceArXnXgJeRPgU2Z4Qa+60yDhKGCIoYaNjNDhdo63isLPI6OVTe +2xJhWXsg/OOsw7bVliRvX9zTaqBR2UvbP2oROG5c1+l9m6mXYp4Iysj2kcURU0aV +/ngcGoq5Qhk= +-----END CERTIFICATE----- diff --git a/docker/rbac-tls/certs/snakeoil-ca-1.key b/docker/rbac-tls/certs/snakeoil-ca-1.key new file mode 100644 index 000000000..389febd2e --- /dev/null +++ b/docker/rbac-tls/certs/snakeoil-ca-1.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIjGgAKGaHAQICAggA +MB0GCWCGSAFlAwQBKgQQzRqDXYmCf6FisE1Jf1blWwSCBNATRJo0wkqC8CfjwYAt +uKh+upZvycOFTu1OsSZV7840FRUUkJxvUN27xZetx4zx4khhfV/U/1sHMiPB5l8C +39axKwLUns9zG2MnSAi+bKhVMK59yCd+xw5HanyviDAT3Xj0bbhhA+hx2GRF9pm0 +le83qp2+flIAGSiOoCEJH8Rp1KqIVUzDo22oR2L9xw3GL6fEBlLZCRmj5DW8ZSs5 +yDf3PSZaRrlElvLt2PZmLVeSlvdmBPqO1rNSM16eFAeThwfqy/lWFdepzJLyhKfF +pLqZB4jxaLmD53ef/woz20ldgY3ZA9bMfzRxkeECabZUeTQ0974VxxHZOgCAKikg +VhoAIHrCvzzgFFMH+nxVGh0WRLV4M2WCg2au1SObAyOQ4ynu4e/rRaHx1snplHEU +TcdAX7re2+3zkZVb05D4LW4FAXim8xQ9K2sVnMsmwmTBf7pI8xcLtvsGTrBRVGW7 +Y8Zecwh6B46CjO1vmnMC/8z4xxkC7Joyi845Gcahou/XgpzpVNuAhV4ZJxzd+1aR +dJRes/AltTCtYy8GhbJX+MFjyYjWWhz94EN1Vvk2VyYwdy24KWR1oZpYQ5cayX4M +2wXqfQkLeYkv8JMfhD87yaKa1CyI8ai6p8Hx5xAa0EXv6gnQLwkwayaZjZh6DQv1 +aKuiBUgARjchUBm/yaKEFp2Fr6PoSIWCJc0/9KatqchgiH41uOM7dzTreGXzieEJ +FpbYCyXvrQMVR3IzsN2eqhjqC+X6xueXIG35gbEdLd1OPplUwkNq2NnG+fIO8L3Q +stKnRSqMEdcKq6PfWXDMjuLk9+aRlofA0M1/gD/zJ5QK8vW7DGv+gyIE8ZJDq99z +M2LIR/vkP2x5uSQvQcrwwv2qjfyaePg4UL6UJ1xLWu3ZFiYnJtmOivrk+KSdnCdA +Ar5G7ErUeM5IkOv5DbFaBlPm9SvhIxdLg/rwtyJoVmTlfXNjorlXVqkXxhHiU+3W +xIOF2R4/++A4rKwX5IxBgLr3XfMrAUXmDgdJfxN4gZuACd+tTIB5bRXcDkV1Qc7J +ydo4UtkivmylYzylbxuqS3pPi1GOYu4NaRVgGH/VLc1IeEr9eiqwTglGhUNlTvPs +RXYVzetJ2i4srRbUkqWOA+10vfB5NSrET9YBSDTngmoozqeV9GiS+3PlLgJZc5oq +mJn/5HsC7Boc9z3+Yklyi2FlMbruKdL+tkVQoQKCNCtQ8lQnb3tD3Up4C8ztiVyy +Sa5U1DP3xT1DBNyY+eYS6cN/7KWg1C7dLREdnMdTdWno0apzOCHkD8wUWqHumaai +OJpROA8XCw8BzuoSozrh67b9danJLTpajwzAu+gfnZ72wpMcXsSHUKOr0gkcLbHi +Rwsvg8QRJ7+PAcIpElVWelRQ6ky6pJ3yN5M3GTeP7sueCr4fFmAv6XVxM3yncUMA +h7q98YkUHmfZl2WRf86FUp2KKo1+H6o7hcy6zr3ZOIIDzIoKkrM4kRqDwOqmRh8D +KMBoe4/f3n7CZi0qv5YEIj1umWyLiI1M+lc/l7XxRvu3h9FVfFl5o7F3prA2uMjm +CtwuF6X1B5waELnLyZX03o7HbN0R48ioWJuXK8C7qA+L4yeDa6vfgLNuSXiHWaK0 +on8dEUb6LdlWc1uZ451+dgRFXQ== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/docker/rbac-tls/certs/thusnelda.keystore.jks b/docker/rbac-tls/certs/thusnelda.keystore.jks new file mode 100644 index 000000000..96bf4ae81 Binary files /dev/null and b/docker/rbac-tls/certs/thusnelda.keystore.jks differ diff --git a/docker/rbac-tls/certs/thusnelda.truststore.jks b/docker/rbac-tls/certs/thusnelda.truststore.jks new file mode 100644 index 000000000..c3a4e5f7b Binary files /dev/null and b/docker/rbac-tls/certs/thusnelda.truststore.jks differ diff --git a/docker/rbac-tls/certs/zookeeper.keystore.jks b/docker/rbac-tls/certs/zookeeper.keystore.jks new file mode 100644 index 000000000..39a7d0262 Binary files /dev/null and b/docker/rbac-tls/certs/zookeeper.keystore.jks differ diff --git a/docker/rbac-tls/certs/zookeeper.truststore.jks b/docker/rbac-tls/certs/zookeeper.truststore.jks new file mode 100644 index 000000000..2138bb9f4 Binary files /dev/null and b/docker/rbac-tls/certs/zookeeper.truststore.jks differ diff --git a/docker/rbac-tls/client-configs/fry.properties b/docker/rbac-tls/client-configs/fry.properties new file mode 100644 index 000000000..d8fafc996 --- /dev/null +++ b/docker/rbac-tls/client-configs/fry.properties @@ -0,0 +1,7 @@ +sasl.mechanism=OAUTHBEARER +security.protocol=SASL_PLAINTEXT +sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler +sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ +username="fry" \ +password="fry" \ +metadataServerUrls="http://localhost:8090"; diff --git a/docker/rbac-tls/client-configs/professor.properties b/docker/rbac-tls/client-configs/professor.properties new file mode 100644 index 000000000..fa713e0a3 --- /dev/null +++ b/docker/rbac-tls/client-configs/professor.properties @@ -0,0 +1,7 @@ +sasl.mechanism=OAUTHBEARER +security.protocol=SASL_PLAINTEXT +sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler +sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ +username="professor" \ +password="professor" \ +metadataServerUrls="http://localhost:8090"; diff --git a/docker/rbac-tls/client-configs/zoidberg.properties b/docker/rbac-tls/client-configs/zoidberg.properties new file mode 100644 index 000000000..d8fafc996 --- /dev/null +++ b/docker/rbac-tls/client-configs/zoidberg.properties @@ -0,0 +1,7 @@ +sasl.mechanism=OAUTHBEARER +security.protocol=SASL_PLAINTEXT +sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler +sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ +username="fry" \ +password="fry" \ +metadataServerUrls="http://localhost:8090"; diff --git a/docker/rbac-tls/conf/keypair.pem b/docker/rbac-tls/conf/keypair.pem new file mode 100644 index 000000000..5d253c97e --- /dev/null +++ b/docker/rbac-tls/conf/keypair.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAz7zQtWs1mm67HaHkDdGg9VnY6/x7cziCYPIOjsa5QMVf1AQA +8ktJWxHzdN8cxZ0+4ebmhXa0kSPNkmq6OJUubdjniF29KyR7e3eiXLwnKI0HHEL3 +4j/FZ8VhButbSikOeO+HoX2uM42yoOdG59rp2TXPE0dlfTrDnIgchDpeWzR3/V09 +n0Q0l/MP6bx8ADwe1HHztShK3gLPneO9jGHPCgVuXDekn2ewvDaiOWOBXbnQ8637 +aDeTWbFnhzNGJVHmJ22cGb9jzpH2htYCqjtnl+nkyj7iZ/iBmYmzzvNM5PVGka3o +2J5WnHFV2QcBlV9sVvLz7XivEPaoAI0L5RR3nQIDAQABAoIBAFhwnTYvT2HQ9I54 +BrwvW+Q4fRZypif2jeMyCiqUxfeiT9rWXYTJspA4AzrlZb1n5YaNI+T8FYGZCYLl +NySxtlODvYabydZdMMjutMvgOpeT+sv4YsoKtkMoj9c/Sd03v3aTG14QQKKoF71S +2SgKVfZoZyFhCv8WjoLMm79bjiIrXp7RkYEr5xL/7197w/QkgfzIimlvKMWxwMEM +T6DqsRixccM1MRO9sc2Bh769KtFOQwr//OUmYtpi/wo7pZM85e1zF3pum83EBHHF +NpV9Aa6waaRQ6nQZMzTIVtC6zFKqkscKG1lBCaQOMLDsvhAsr7DbkRFLhe6OnUg0 +XGUoEa0CgYEA9FBnx/Qzr0MhBkAIbxfnRjb4RjpGXQDyIjz+nYs+nDLRITFYHtDr +unHCTA0lV+EzaL9P78oP85bP5r4LwLZzT3w/r44fu9dCYUCj+WbUVIZVUttilmH2 +p3O2WrdNC2tbpZpAAI98EacJkm4AwXOp0oV/S3vskdtI9b+Bz1uBOKsCgYEA2ayI +98twv8ULH38LzIjUqChgE6gHaIni4RVH4bht8xsBOkBOmvvZV+Ch9oue8CCWep3y +flXVHqhf8/906E6h38PcWzQxAk/RQ8yr+P+LvyBs1CwJS3RX54s52VW7qUeyVXK8 +upIvHaHnCUcZYZE1vDFp84IHqEwban7oMx5poNcCgYA0im4nND9BO8CIZZDqw0s7 +cGroP3QOYDuyXUesfduTH+KVrtTym592UyyjylfzlDzIFAyO1vejPRWs28YPRa16 +tI/Fo1zzupFN9ObOpeyX2OPUk9WZ3at7y4i17aGmCQqGjKui8ziNW0zVrs5+y+8D +lS4Q/6+alnwUTYEPJPCfTQKBgQCZJ+y3bU1HoTzSTHHg1+XI65+uNOwBggNAm9iX +2UyDYNzcP6MPKWUjj8plzpdmHYfDfp7AhWQOzim1ZGi9i5YZ+5VwFqjlF4QGUFww +Np39PLNWFiX0EUhIgo2RfeEsmmW/+ZsRKwo7r08AGCajn6hPYfVKgJMit2oS5Hg8 +f4mSwQKBgQC49TSNWFOe8CqNuOz1Kw7eMcihJ0JLPiZfQVaEarcg5/UJlV6H8WcI +H2aSI999oepRJjuCvS/5Y+drJZSDfZICN2igg8qHMjxPkOnYnsW0zUMVR77encXS +IfwEWvRo3QT/mfsqLPRIq/a1f5K2R7daysG15ngLYqUTuxyQCvo2FA== +-----END RSA PRIVATE KEY----- diff --git a/docker/rbac-tls/conf/public.pem b/docker/rbac-tls/conf/public.pem new file mode 100644 index 000000000..9632bf0ee --- /dev/null +++ b/docker/rbac-tls/conf/public.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz7zQtWs1mm67HaHkDdGg +9VnY6/x7cziCYPIOjsa5QMVf1AQA8ktJWxHzdN8cxZ0+4ebmhXa0kSPNkmq6OJUu +bdjniF29KyR7e3eiXLwnKI0HHEL34j/FZ8VhButbSikOeO+HoX2uM42yoOdG59rp +2TXPE0dlfTrDnIgchDpeWzR3/V09n0Q0l/MP6bx8ADwe1HHztShK3gLPneO9jGHP +CgVuXDekn2ewvDaiOWOBXbnQ8637aDeTWbFnhzNGJVHmJ22cGb9jzpH2htYCqjtn +l+nkyj7iZ/iBmYmzzvNM5PVGka3o2J5WnHFV2QcBlV9sVvLz7XivEPaoAI0L5RR3 +nQIDAQAB +-----END PUBLIC KEY----- diff --git a/docker/rbac-tls/create-basic-roles.sh b/docker/rbac-tls/create-basic-roles.sh new file mode 100755 index 000000000..8d1f2ddfc --- /dev/null +++ b/docker/rbac-tls/create-basic-roles.sh @@ -0,0 +1,61 @@ +#!/usr/bin/env bash + +################################## GET KAFKA CLUSTER ID ######################## +ZK_CONTAINER=zookeeper +ZK_PORT=2181 +echo "Retrieving Kafka cluster id from docker-container '$ZK_CONTAINER' port '$ZK_PORT'" +KAFKA_CLUSTER_ID=$(docker exec -it $ZK_CONTAINER zookeeper-shell localhost:$ZK_PORT get /cluster/id 2> /dev/null | grep \"version\" | jq -r .id) +if [ -z "$KAFKA_CLUSTER_ID" ]; then + echo "Failed to retrieve kafka cluster id from zookeeper" + exit 1 +fi + +## Login into MDS +CA_CERT=./certs/snakeoil-ca-1.crt +XX_CONFLUENT_USERNAME=professor XX_CONFLUENT_PASSWORD=professor confluent login --ca-cert-path $CA_CERT --url https://localhost:8090 + +SUPER_USER=professor +SUPER_USER_PASSWORD=professor +SUPER_USER_PRINCIPAL="User:$SUPER_USER" + +## Create Service Roles +CONNECT_PRINCIPAL="User:fry" +C3_PRINCIPAL="User:hermes" +SR_PRINCIPAL="User:leela" +OTHER_PRINCIPAL="User:zoidberg" + +CONNECT=connect-cluster +SR=schema-registry +C3=c3-cluster + + +################################### SETUP SUPERUSER ################################### +echo "Creating Super User role bindings" + +confluent iam rolebinding create \ + --principal $SUPER_USER_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID + +confluent iam rolebinding create \ + --principal $SUPER_USER_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --schema-registry-cluster-id $SR + +confluent iam rolebinding create \ + --principal $SUPER_USER_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --connect-cluster-id $CONNECT + +echo "Finished setting up role bindings" +echo " kafka cluster id: $KAFKA_CLUSTER_ID" +echo " connect cluster id: $CONNECT" +echo " schema registry cluster id: $SR" +echo +echo " super user account: $SUPER_USER_PRINCIPAL" +echo " connect service account: $CONNECT_PRINCIPAL" +echo " schema registry service account: $SR_PRINCIPAL" +echo " C3 service account: $C3_PRINCIPAL" +echo " Other service account: $OTHER_PRINCIPAL" diff --git a/docker/rbac-tls/create-config.sh b/docker/rbac-tls/create-config.sh new file mode 100755 index 000000000..5c55026a8 --- /dev/null +++ b/docker/rbac-tls/create-config.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +# Generating public and private keys for token signing +echo "Generating public and private keys for token signing" +mkdir -p ./conf +openssl genrsa -out ./conf/keypair.pem 2048 +openssl rsa -in ./conf/keypair.pem -outform PEM -pubout -out ./conf/public.pem diff --git a/docker/rbac-tls/create-roles-streams-app.sh b/docker/rbac-tls/create-roles-streams-app.sh new file mode 100755 index 000000000..6c05d066c --- /dev/null +++ b/docker/rbac-tls/create-roles-streams-app.sh @@ -0,0 +1,92 @@ +#!/usr/bin/env bash + +## Login into MDS +XX_CONFLUENT_USERNAME=professor XX_CONFLUENT_PASSWORD=professor confluent login --url http://localhost:8090 + + +## Create Service Roles +STREAMS_PRINCIPAL="User:zoidberg" +KAFKA_CLUSTER_ID="x64IAgb0TfOs-3-YoGB4gA" + +################################### STREAMS ################################### + +echo "Creating Kafka Streams role bindings" + +# Allow Streams to read the input topics: +#kafka-acls -authorizer-properties zookeeper.connect=zookeeper:2181 --add --allow-principal User:alice --operation Read --topic source-topic +# Allow Streams to write to the output topics: +#kafka-acls -authorizer-properties zookeeper.connect=zookeeper:2181 --add --allow-principal User:alice --operation Write --topic target-topic + +# Allow Streams to manage its own internal topics and consumer groups: +#kafka-acls -authorizer-properties zookeeper.connect=zookeeper:2181 --add --allow-principal User:alice --operation All --resource-pattern-type prefixed --topic porsche-streams-app --group porsche-streams-app + + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperRead \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --resource "Topic:source-topic" + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperWrite \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --resource "Topic:target-topic" + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperRead \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --prefix \ + --resource "Topic:porsche-streams-app" + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperWrite \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --prefix \ + --resource "Topic:porsche-streams-app" + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperManage \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --prefix \ + --resource "Topic:porsche-streams-app" + + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperRead \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --prefix \ + --resource "Group:porsche-streams-app" + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperWrite \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --prefix \ + --resource "Group:porsche-streams-app" + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperManage \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --prefix \ + --resource "Group:porsche-streams-app" + + +confluent iam rolebinding list --principal $STREAMS_PRINCIPAL --kafka-cluster-id $KAFKA_CLUSTER_ID + +## created roles +#Role | ResourceType | Name | PatternType +#+-----------------+--------------+---------------------+-------------+ +#DeveloperManage | Topic | porsche-streams-app | PREFIXED +#DeveloperManage | Group | porsche-streams-app | PREFIXED +#DeveloperRead | Topic | source-topic | LITERAL +#DeveloperRead | Topic | porsche-streams-app | PREFIXED +#DeveloperRead | Group | porsche-streams-app | PREFIXED +#DeveloperWrite | Topic | target-topic | LITERAL +#DeveloperWrite | Topic | porsche-streams-app | PREFIXED +#DeveloperWrite | Group | porsche-streams-app | PREFIXED diff --git a/docker/rbac-tls/create-roles.sh b/docker/rbac-tls/create-roles.sh new file mode 100755 index 000000000..1bba922f0 --- /dev/null +++ b/docker/rbac-tls/create-roles.sh @@ -0,0 +1,133 @@ +#!/usr/bin/env bash + +################################## GET KAFKA CLUSTER ID ######################## +ZK_CONTAINER=zookeeper +ZK_PORT=2181 +echo "Retrieving Kafka cluster id from docker-container '$ZK_CONTAINER' port '$ZK_PORT'" +KAFKA_CLUSTER_ID=$(docker exec -it $ZK_CONTAINER zookeeper-shell localhost:$ZK_PORT get /cluster/id 2> /dev/null | grep \"version\" | jq -r .id) +if [ -z "$KAFKA_CLUSTER_ID" ]; then + echo "Failed to retrieve kafka cluster id from zookeeper" + exit 1 +fi + +## Login into MDS +CA_CERT=certs/snakeoil-ca-1.crt +XX_CONFLUENT_USERNAME=professor XX_CONFLUENT_PASSWORD=professor confluent login --ca-cert-path $CA_CERT --url https://localhost:8090 + +SUPER_USER=professor +SUPER_USER_PASSWORD=professor +SUPER_USER_PRINCIPAL="User:$SUPER_USER" + +## Create Service Roles +CONNECT_PRINCIPAL="User:fry" +C3_PRINCIPAL="User:hermes" +SR_PRINCIPAL="User:leela" +OTHER_PRINCIPAL="User:zoidberg" + +CONNECT=connect-cluster +SR=schema-registry +C3=c3-cluster + +################################### SETUP SUPERUSER ################################### +echo "Creating Super User role bindings" + +confluent iam rolebinding create \ + --principal $SUPER_USER_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID + +confluent iam rolebinding create \ + --principal $SUPER_USER_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --schema-registry-cluster-id $SR + +confluent iam rolebinding create \ + --principal $SUPER_USER_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --connect-cluster-id $CONNECT + +################################### SCHEMA REGISTRY ################################### +echo "Creating Schema Registry role bindings" + +# SecurityAdmin on SR cluster itself +confluent iam rolebinding create \ + --principal $SR_PRINCIPAL \ + --role SecurityAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --schema-registry-cluster-id $SR + +# ResourceOwner for groups and topics on broker +for resource in Topic:_schemas Group:schema-registry +do + confluent iam rolebinding create \ + --principal $SR_PRINCIPAL \ + --role ResourceOwner \ + --resource $resource \ + --kafka-cluster-id $KAFKA_CLUSTER_ID +done + +################################### CONNECT ################################### +echo "Creating Connect role bindings" + +# SecurityAdmin on the connect cluster itself +confluent iam rolebinding create \ + --principal $CONNECT_PRINCIPAL \ + --role SecurityAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --connect-cluster-id $CONNECT + +# ResourceOwner for groups and topics on broker +declare -a ConnectResources=( + "Topic:connect-configs" + "Topic:connect-offsets" + "Topic:connect-status" + "Group:connect-cluster" + "Group:secret-registry" + "Topic:_confluent-secrets" +) +for resource in ${ConnectResources[@]} +do + confluent iam rolebinding create \ + --principal $CONNECT_PRINCIPAL \ + --role ResourceOwner \ + --resource $resource \ + --kafka-cluster-id $KAFKA_CLUSTER_ID +done + +################################### C3 ################################### +echo "Creating C3 role bindings" + +# C3 only needs SystemAdmin on the kafka cluster itself +confluent iam rolebinding create \ + --principal $C3_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID + +################################### OTHER ROLE ################################### + +confluent iam rolebinding create \ + --principal $OTHER_PRINCIPAL \ + --role DeveloperWrite \ + --resource "Topic:connect-configs" \ + --kafka-cluster-id $KAFKA_CLUSTER_ID + + +confluent iam rolebinding create \ + --principal $OTHER_PRINCIPAL \ + --role ResourceOwner \ + --resource "Topic:zaragoza." \ + --prefix \ + --kafka-cluster-id $KAFKA_CLUSTER_ID + +echo "Finished setting up role bindings" +echo " kafka cluster id: $KAFKA_CLUSTER_ID" +echo " connect cluster id: $CONNECT" +echo " schema registry cluster id: $SR" +echo +echo " super user account: $SUPER_USER_PRINCIPAL" +echo " connect service account: $CONNECT_PRINCIPAL" +echo " schema registry service account: $SR_PRINCIPAL" +echo " C3 service account: $C3_PRINCIPAL" +echo " Other service account: $OTHER_PRINCIPAL" diff --git a/docker/rbac-tls/docker-compose.yml b/docker/rbac-tls/docker-compose.yml new file mode 100644 index 000000000..ada355574 --- /dev/null +++ b/docker/rbac-tls/docker-compose.yml @@ -0,0 +1,492 @@ +--- +version: '2.3' +services: + + phpldapadmin-service: + image: osixia/phpldapadmin:0.7.2 + container_name: ldapadmin-service + environment: + - PHPLDAPADMIN_LDAP_HOSTS=openldap + ports: + - "6444:443" + depends_on: + - openldap + + openldap: + image: rroemhild/test-openldap + hostname: openldap + container_name: openldap + ports: + - "389:389" + privileged: true + + zookeeper: + image: confluentinc/cp-zookeeper:${TAG} + hostname: zookeeper + container_name: zookeeper + ports: + - "2181:2181" + environment: + ZOOKEEPER_CLIENT_PORT: 2181 + ZOOKEEPER_TICK_TIME: 2000 + + broker: + image: confluentinc/cp-server:${TAG} + hostname: broker + container_name: broker + networks: + default: + aliases: + - broker + - thusnelda + depends_on: + - 'zookeeper' + - 'openldap' + ports: + - "8090:8090" + - "8091:8091" + - "9092:9092" + - "9093:9093" + - "9094:9094" + - "9095:9095" + volumes: + - ./certs/:/etc/kafka/secrets/ + - ./conf:/tmp/conf + - ./client-configs:/etc/client-configs + - ./kafka/:/etc/kafka/ + - ./jvm/:/etc/kafka/jvm/ + environment: + KAFKA_LOG4J_LOGGERS: kafka.controller=INFO,kafka.authorizer.logger=DEBUG + KAFKA_LOG4J_ROOT_LOGLEVEL: DEBUG + KAFKA_SUPER_USERS: User:admin;User:kafka;User:professor;User:ANONYMOUS + KAFKA_BROKER_ID: 1 + KAFKA_ZOOKEEPER_CONNECT: 'zookeeper:2181' + KAFKA_CONFLUENT_LICENSE_TOPIC_REPLICATION_FACTOR: 1 + KAFKA_CONFLUENT_SCHEMA_REGISTRY_URL: https://schema-registry:8081 + KAFKA_ADVERTISED_LISTENERS: INTERNAL://localhost:9093,EXTERNAL://localhost:9092,TOKEN://localhost:9094,TOKENE://thusnelda:9095 + KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:SSL,EXTERNAL:SSL,TOKEN:SASL_SSL,TOKENE:SASL_SSL + KAFKA_SASL_ENABLED_MECHANISMS: OAUTHBEARER + + # Configure interbroker listener + KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL + + ############################ SSL SETTINGS ##################################### + KAFKA_LISTENER_NAME_INTERNAL_SECURITY_PROTOCOL: SSL + KAFKA_LISTENER_NAME_INTERNAL_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks + KAFKA_LISTENER_NAME_INTERNAL_SSL_TRUSTSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_INTERNAL_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.keystore.jks + KAFKA_LISTENER_NAME_INTERNAL_SSL_KEYSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_INTERNAL_SSL_KEY_PASSWORD: confluent + + KAFKA_LISTENER_NAME_EXTERNAL_SECURITY_PROTOCOL: SSL + KAFKA_LISTENER_NAME_EXTERNAL_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks + KAFKA_LISTENER_NAME_EXTERNAL_SSL_TRUSTSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_EXTERNAL_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.keystore.jks + KAFKA_LISTENER_NAME_EXTERNAL_SSL_KEYSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_EXTERNAL_SSL_KEY_PASSWORD: confluent + + KAFKA_LISTENER_NAME_TOKEN_SECURITY_PROTOCOL: SSL + KAFKA_LISTENER_NAME_TOKEN_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks + KAFKA_LISTENER_NAME_TOKEN_SSL_TRUSTSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_TOKEN_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.keystore.jks + KAFKA_LISTENER_NAME_TOKEN_SSL_KEYSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_TOKEN_SSL_KEY_PASSWORD: confluent + + KAFKA_LISTENER_NAME_TOKENE_SECURITY_PROTOCOL: SSL + KAFKA_LISTENER_NAME_TOKENE_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/thusnelda.truststore.jks + KAFKA_LISTENER_NAME_TOKENE_SSL_TRUSTSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_TOKENE_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/thusnelda.keystore.jks + KAFKA_LISTENER_NAME_TOKENE_SSL_KEYSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_TOKENE_SSL_KEY_PASSWORD: confluent + + KAFKA_SSL_CLIENT_AUTH: required + #KAFKA_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=(.*?),.*$$/$$1/,DEFAULT + + KAFKA_LISTENER_NAME_INTERNAL_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/$$1/ , DEFAULT + KAFKA_LISTENER_NAME_EXTERNAL_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/kafka/ , DEFAULT + + # Configure token listener + KAFKA_LISTENER_NAME_TOKEN_SASL_ENABLED_MECHANISMS: OAUTHBEARER + KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler + KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler + KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_JAAS_CONFIG: | + \ + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + publicKeyPath="/tmp/conf/public.pem"; + + KAFKA_LISTENER_NAME_TOKENE_SASL_ENABLED_MECHANISMS: OAUTHBEARER + KAFKA_LISTENER_NAME_TOKENE_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler + KAFKA_LISTENER_NAME_TOKENE_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler + KAFKA_LISTENER_NAME_TOKENE_OAUTHBEARER_SASL_JAAS_CONFIG: | + \ + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + publicKeyPath="/tmp/conf/public.pem"; + + # CONFIGURE AUTHORIZER + KAFKA_AUTHORIZER_CLASS_NAME: io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer + KAFKA_CONFLUENT_AUTHORIZER_ACCESS_RULE_PROVIDERS: CONFLUENT,ZK_ACL + KAFKA_CONFLUENT_AUTHORIZER_GROUP_PROVIDER: RBAC + + # ======================== CONFIGURE MDS ==================================== + KAFKA_CONFLUENT_METADATA_TOPIC_REPLICATION_FACTOR: 1 + + # Configure MDS listener and http(s) server + KAFKA_CONFLUENT_METADATA_SERVER_AUTHENTICATION_METHOD: BEARER + KAFKA_CONFLUENT_METADATA_SERVER_AUTHENTICATION_ROLES: '**' + KAFKA_CONFLUENT_METADATA_SERVER_LISTENERS: https://0.0.0.0:8090 + KAFKA_CONFLUENT_METADATA_SERVER_ADVERTISED_LISTENERS: https://broker:8090 + KAFKA_CONFLUENT_METADATA_SERVER_OPENAPI_ENABLE: "true" + + ## SSL settings for MDS + KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/mds.keystore.jks + KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEYSTORE_PASSWORD: confluent + KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEY_PASSWORD: confluent + KAFKA_CONFLUENT_METADATA_SERVER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/mds.truststore.jks + KAFKA_CONFLUENT_METADATA_SERVER_SSL_TRUSTSTORE_PASSWORD: confluent + + # Configure RBAC token server (authentication) + KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_AUTH_ENABLE: 'true' + KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_MAX_LIFETIME_MS: 3600000 + KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_SIGNATURE_ALGORITHM: RS256 + KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_KEY_PATH: /tmp/conf/keypair.pem + KAFKA_CONFLUENT_METADATA_SERVER_PUBLIC_KEY_PATH: /tmp/conf/public.pem + + # Configure MDS to talk to AD/LDAP + KAFKA_LDAP_JAVA_NAMING_FACTORY_INITIAL: com.sun.jndi.ldap.LdapCtxFactory + KAFKA_LDAP_COM_SUN_JNDI_LDAP_READ_TIMEOUT: 3000 + KAFKA_LDAP_JAVA_NAMING_PROVIDER_URL: ldap://openldap:389 + # how to authenticate to LDAP + KAFKA_LDAP_JAVA_NAMING_SECURITY_PRINCIPAL: cn=admin,dc=planetexpress,dc=com + KAFKA_LDAP_JAVA_NAMING_SECURITY_CREDENTIALS: GoodNewsEveryone + KAFKA_LDAP_JAVA_NAMING_SECURITY_AUTHENTICATION: simple + # how to locate users and groups + KAFKA_LDAP_USER_SEARCH_BASE: ou=people,dc=planetexpress,dc=com + KAFKA_LDAP_GROUP_SEARCH_BASE: ou=people,dc=planetexpress,dc=com + KAFKA_LDAP_USER_NAME_ATTRIBUTE: uid + KAFKA_LDAP_USER_OBJECT_CLASS: inetOrgPerson + KAFKA_LDAP_USER_MEMBEROF_ATTRIBUTE: ou + KAFKA_LDAP_GROUP_NAME_ATTRIBUTE: cn + KAFKA_LDAP_GROUP_OBJECT_CLASS: group + + # ======================= CONFIGURE METRICS REPORTER ========================= + KAFKA_METRIC_REPORTERS: io.confluent.metrics.reporter.ConfluentMetricsReporter + CONFLUENT_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9093 + CONFLUENT_METRICS_REPORTER_TOPIC_REPLICAS: 1 + CONFLUENT_METRICS_REPORTER_SECURITY_PROTOCOL: SSL + CONFLUENT_METRICS_REPORTER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks + CONFLUENT_METRICS_REPORTER_SSL_TRUSTSTORE_PASSWORD: confluent + CONFLUENT_METRICS_REPORTER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.keystore.jks + CONFLUENT_METRICS_REPORTER_SSL_KEYSTORE_PASSWORD: confluent + CONFLUENT_METRICS_REPORTER_SSL_KEY_PASSWORD: confluent + + # ======================= OTHER BROKER STUFF ================================= + KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 + SSL_ENABLED_PROTOCOLS: TLSv1.2 + KAFKA_OPTS: " -Djava.security.properties=/etc/kafka/jvm/security-policy.properties" + KAFKA_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + # KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0 + # CONFLUENT_METRICS_ENABLE: 'true' + # CONFLUENT_SUPPORT_CUSTOMER_ID: 'anonymous' + + schema-registry: + image: confluentinc/cp-schema-registry:${TAG} + hostname: schema-registry + container_name: schema-registry + depends_on: + - broker + ports: + - "8081:8081" + volumes: + - ./certs/:/etc/kafka/secrets/ + - ./conf:/tmp/conf + - ./jvm/:/etc/kafka/jvm/ + environment: + CUB_CLASSPATH: '/etc/confluent/docker/docker-utils.jar:/usr/share/java/confluent-security/schema-registry/*:/usr/share/java/schema-registry/*:/usr/share/java/cp-base-new/*' + SCHEMA_REGISTRY_LISTENERS: https://0.0.0.0:8081 + SCHEMA_REGISTRY_HOST_NAME: schema-registry + # This is only needed if you don't have a license and would like to test as part of a trial period + SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL: zookeeper:2181 + + # configure how to connect to kafka for SR to store its internal info + SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: broker:9094 + SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL: SASL_SSL + SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM: OAUTHBEARER + SCHEMA_REGISTRY_KAFKASTORE_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler + SCHEMA_REGISTRY_KAFKASTORE_SASL_JAAS_CONFIG: | + \ + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="leela" \ + password="leela" \ + metadataServerUrls="https://broker:8090"; + + SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/schemaregistry.truststore.jks + SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_PASSWORD: confluent + SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/schemaregistry.keystore.jks + SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_PASSWORD: confluent + SCHEMA_REGISTRY_KAFKASTORE_SSL_KEY_PASSWORD: confluent + + SCHEMA_REGISTRY_KAFKASTORE_TOPIC: _schemas + SCHEMA_REGISTRY_DEBUG: 'true' + + SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/schemaregistry.truststore.jks + SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: confluent + SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/schemaregistry.keystore.jks + SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD: confluent + SCHEMA_REGISTRY_SSL_KEY_PASSWORD: confluent + SCHEMA_REGISTRY_SSL_CLIENT_AUTH: 'false' + + SCHEMA_REGISTRY_SCHEMA_REGISTRY_INTER_INSTANCE_PROTOCOL: "https" + + # ======================= RBAC ================================= + SCHEMA_REGISTRY_SCHEMA_REGISTRY_RESOURCE_EXTENSION_CLASS: io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension + SCHEMA_REGISTRY_CONFLUENT_SCHEMA_REGISTRY_AUTHORIZER_CLASS: io.confluent.kafka.schemaregistry.security.authorizer.rbac.RbacAuthorizer + SCHEMA_REGISTRY_REST_SERVLET_INITIALIZOR_CLASSES: io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler + # how to connect to MDS + SCHEMA_REGISTRY_CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: https://broker:8090 + SCHEMA_REGISTRY_CONFLUENT_METADATA_HTTP_AUTH_CREDENTIALS_PROVIDER: BASIC + SCHEMA_REGISTRY_CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: leela:leela + # public key to verify tokens during authentication + SCHEMA_REGISTRY_PUBLIC_KEY_PATH: /tmp/conf/public.pem + SCHEMA_REGISTRY_SSL_ENABLED_PROTOCOLS: TLSv1.2 + KAFKA_OPTS: " -Djava.security.properties=/etc/kafka/jvm/security-policy.properties" + SCHEMA_REGISTRY_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + + connect: + image: confluentinc/cp-server-connect:${TAG} + hostname: connect + container_name: connect + depends_on: + - 'broker' + ports: + - "8083:8083" + volumes: + - ./certs/:/etc/kafka/secrets/ + - ./conf:/tmp/conf + - ./jvm/:/etc/kafka/jvm/ + environment: + CUB_CLASSPATH: '/etc/confluent/docker/docker-utils.jar:/usr/share/java/confluent-security/connect/*:/usr/share/java/kafka/*:/usr/share/java/cp-base-new/*' + CLASSPATH: "/usr/share/java/monitoring-interceptors/*" + CONNECT_REST_ADVERTISED_HOST_NAME: connect + CONNECT_LISTENERS: https://0.0.0.0:8083 + CONNECT_REST_PORT: 8083 + CONNECT_GROUP_ID: connect-cluster + CONNECT_REPLICATION_FACTOR: 1 + # configs storage topic + CONNECT_CONFIG_STORAGE_TOPIC: connect-configs + CONNECT_CONFIG_STORAGE_REPLICATION_FACTOR: 1 + # offsets storage topic and settings + CONNECT_OFFSET_STORAGE_TOPIC: connect-offsets + CONNECT_OFFSET_STORAGE_REPLICATION_FACTOR: 1 + CONNECT_OFFSET_FLUSH_INTERVAL_MS: 10000 + # status storage topic + CONNECT_STATUS_STORAGE_TOPIC: connect-status + CONNECT_STATUS_STORAGE_REPLICATION_FACTOR: 1 + + # Default to Json converters: + CONNECT_KEY_CONVERTER: org.apache.kafka.connect.json.JsonConverter + CONNECT_VALUE_CONVERTER: org.apache.kafka.connect.json.JsonConverter + CONNECT_INTERNAL_KEY_CONVERTER: org.apache.kafka.connect.json.JsonConverter + CONNECT_INTERNAL_VALUE_CONVERTER: org.apache.kafka.connect.json.JsonConverter + + CONNECT_LOG4J_ROOT_LOGLEVEL: INFO + CONNECT_LOG4J_LOGGERS: org.reflections=ERROR + + # Connect to broker + CONNECT_BOOTSTRAP_SERVERS: broker:9094 + CONNECT_SECURITY_PROTOCOL: SASL_SSL + # RBAC + CONNECT_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="fry" \ + password="fry" \ + metadataServerUrls="https://broker:8090"; + + # Connect Worker + CONNECT_SECURITY_PROTOCOL: SASL_SSL + CONNECT_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_SSL_KEY_PASSWORD: confluent + + # Allow overriding configs on the connector level + CONNECT_CONNECTOR_CLIENT_CONFIG_OVERRIDE_POLICY: 'All' + + # Default producers configuration + CONNECT_PRODUCER_SECURITY_PROTOCOL: SASL_SSL + CONNECT_PRODUCER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_PRODUCER_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_PRODUCER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_PRODUCER_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_PRODUCER_SSL_KEY_PASSWORD: confluent + CONNECT_PRODUCER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringProducerInterceptor" + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SECURITY_PROTOCOL: SASL_SSL + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEY_PASSWORD: confluent + + # Producer + CONNECT_PRODUCER_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_PRODUCER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="fry" \ + password="fry" \ + metadataServerUrls="https://broker:8090"; + + # Default consumer configs + CONNECT_CONSUMER_SECURITY_PROTOCOL: SASL_SSL + CONNECT_CONSUMER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_CONSUMER_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_CONSUMER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_CONSUMER_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_CONSUMER_SSL_KEY_PASSWORD: confluent + CONNECT_CONSUMER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringConsumerInterceptor" + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SECURITY_PROTOCOL: SASL_SSL + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEY_PASSWORD: confluent + + CONNECT_CONSUMER_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_CONSUMER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="fry" \ + password="fry" \ + metadataServerUrls="https://broker:8090"; + + # Default admin config + CONNECT_ADMIN_SECURITY_PROTOCOL: SASL_SSL + CONNECT_ADMIN_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_ADMIN_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_ADMIN_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_ADMIN_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_ADMIN_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_ADMIN_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_ADMIN_SSL_KEY_PASSWORD: confluent + + # Load confluent plugins + CONNECT_PLUGIN_PATH: "/usr/share/java,/usr/share/confluent-hub-components" + # ============================== RBAC ======================================== + CONNECT_REST_EXTENSION_CLASSES: 'io.confluent.connect.security.ConnectSecurityExtension,io.confluent.connect.secretregistry.ConnectSecretRegistryExtension' + CONNECT_REST_SERVLET_INITIALIZOR_CLASSES: 'io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler' + CONNECT_PUBLIC_KEY_PATH: '/tmp/conf/public.pem' + + CONNECT_CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: 'https://broker:8090' + CONNECT_CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: 'fry:fry' + CONNECT_CONFLUENT_METADATA_HTTP_AUTH_CREDENTIALS_PROVIDER: 'BASIC' + # ========================= OTHERS ========================= + KAFKA_OPTS: -Djavax.net.ssl.trustStore=/etc/kafka/secrets/connect.truststore.jks + -Djavax.net.ssl.trustStorePassword=confluent + -Djavax.net.ssl.keyStore=/etc/kafka/secrets/connect.keystore.jks + -Djavax.net.ssl.keyStorePassword=confluent + -Djava.security.properties=/etc/kafka/jvm/security-policy.properties + # ========================= SECRET REGISTRY ================================== + CONNECT_CONFIG_PROVIDERS: 'secret' + CONNECT_CONFIG_PROVIDERS_SECRET_CLASS: 'io.confluent.connect.secretregistry.rbac.config.provider.InternalSecretConfigProvider' + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_MASTER_ENCRYPTION_KEY: 'password1234' + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_BOOTSTRAP_SERVERS: broker:9094 + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SECURITY_PROTOCOL: SASL_SSL + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_KEY_PASSWORD: confluent + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="fry" \ + password="fry" \ + metadataServerUrls="https://broker:8090"; + CONNECT_SSL_ENABLED_PROTOCOLS: TLSv1.2 + CONNECT_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + + control-center: + image: confluentinc/cp-enterprise-control-center:${TAG} + hostname: control-center + container_name: control-center + depends_on: + - 'zookeeper' + - 'broker' + #- 'connect' + ports: + - "9021:9021" + volumes: + - ./certs/:/etc/kafka/secrets/ + - ./conf:/tmp/conf + - ./jvm/:/etc/kafka/jvm/ + environment: + # CUB CLASSPATH + CUB_CLASSPATH: '/etc/confluent/docker/docker-utils.jar:/usr/share/java/confluent-control-center/*:/usr/share/java/rest-utils/*:/usr/share/java/confluent-common/*' + # general settings + #CONTROL_CENTER_LOG4J_ROOT_LOGLEVEL: DEBUG + CONTROL_CENTER_BOOTSTRAP_SERVERS: 'SASL_SSL://broker:9094' + CONTROL_CENTER_ZOOKEEPER_CONNECT: 'zookeeper:2181' + + CONTROL_CENTER_REPLICATION_FACTOR: 1 + CONTROL_CENTER_INTERNAL_TOPICS_PARTITIONS: 1 + CONFLUENT_METRICS_TOPIC_REPLICATION: 1 + CONTROL_CENTER_MONITORING_INTERCEPTOR_TOPIC_PARTITIONS: 1 + CONTROL_CENTER_MONITORING_INTERCEPTOR_TOPIC_REPLICATION: 1 + CONTROL_CENTER_METRICS_TOPIC_REPLICATION: 1 + CONTROL_CENTER_METRICS_TOPIC_PARTITIONS: 1 + + PORT: 9021 + + # ========================= other services ============================== + # connect + CONTROL_CENTER_CONNECT_CONNECT1_CLUSTER: https://connect:8083 + # schema-registry + CONTROL_CENTER_SCHEMA_REGISTRY_URL: https://schema-registry:8081 + + # ========================= RBAC ================================= + CONTROL_CENTER_REST_AUTHENTICATION_METHOD: BEARER + PUBLIC_KEY_PATH: /tmp/conf/public.pem + CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: https://broker:8090 + CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: hermes:hermes + + CONTROL_CENTER_REST_LISTENERS: https://0.0.0.0:9021 + CONTROL_CENTER_REST_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/controlcenter.truststore.jks + CONTROL_CENTER_REST_SSL_TRUSTSTORE_PASSWORD: confluent + CONTROL_CENTER_REST_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/controlcenter.keystore.jks + CONTROL_CENTER_REST_SSL_KEYSTORE_PASSWORD: confluent + CONTROL_CENTER_REST_SSL_KEY_PASSWORD: confluent + + CONTROL_CENTER_STREAMS_CPREST_URL: https://broker:8090 + + # internal streams application + CONTROL_CENTER_STREAMS_CACHE_MAX_BYTES_BUFFERING: 100000000 + CONTROL_CENTER_STREAMS_CONSUMER_REQUEST_TIMEOUT_MS: "960032" + CONTROL_CENTER_STREAMS_NUM_STREAM_THREADS: 1 + + CONTROL_CENTER_STREAMS_SECURITY_PROTOCOL: SASL_SSL + CONTROL_CENTER_STREAMS_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/controlcenter.truststore.jks + CONTROL_CENTER_STREAMS_SSL_TRUSTSTORE_PASSWORD: confluent + CONTROL_CENTER_STREAMS_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/controlcenter.keystore.jks + CONTROL_CENTER_STREAMS_SSL_KEYSTORE_PASSWORD: confluent + CONTROL_CENTER_STREAMS_SSL_KEY_PASSWORD: confluent + + # The following configs are not required by C3 itself, but are required by cub to be able to connect to kafka to check if its ready + # Seems like C3 would generate these configs when started, but cub runs before C3 starts, so it doesn't have access to these configs + CONTROL_CENTER_STREAMS_SASL_MECHANISM: OAUTHBEARER + CONTROL_CENTER_STREAMS_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler + CONTROL_CENTER_STREAMS_SASL_JAAS_CONFIG: | + \ + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="hermes" \ + password="hermes" \ + metadataServerUrls="https://broker:8090"; + CONTROL_CENTER_SSL_ENABLED_PROTOCOLS: TLSv1.2 + KAFKA_OPTS: " -Djava.security.properties=/etc/kafka/jvm/security-policy.properties" + CONTROL_CENTER_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 diff --git a/docker/rbac-tls/jvm/security-policy.properties b/docker/rbac-tls/jvm/security-policy.properties new file mode 100644 index 000000000..3fa5e6db8 --- /dev/null +++ b/docker/rbac-tls/jvm/security-policy.properties @@ -0,0 +1,6 @@ +jdk.tls.disabledAlgorithms=EC keySize < 160, RSA keySize < 2048, DSA keySize < 2048 +jdk.certpath.disabledAlgorithms=MD2, MD4, MD5, EC keySize < 160, RSA keySize < 2048, DSA keySize < 2048 +jdk.tls.rejectClientInitiatedRenegotiation=true +jdk.tls.ephemeralDHKeySize=2048 +com.sun.security.enableCRLDP=true +com.sun.net.ssl.checkRevocation=true diff --git a/docker/rbac-tls/kafka/client.properties b/docker/rbac-tls/kafka/client.properties new file mode 100644 index 000000000..d821b5518 --- /dev/null +++ b/docker/rbac-tls/kafka/client.properties @@ -0,0 +1,5 @@ +security.protocol=SSL +ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +ssl.truststore.password=confluent +ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +ssl.keystore.password=confluent diff --git a/docker/rbac-tls/kafka/kafka.properties b/docker/rbac-tls/kafka/kafka.properties new file mode 100644 index 000000000..e68dffe8d --- /dev/null +++ b/docker/rbac-tls/kafka/kafka.properties @@ -0,0 +1,97 @@ +confluent.metadata.server.public.key.path=/tmp/conf/public.pem +listener.name.tokene.ssl.keystore.password=confluent +listener.name.tokene.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler +listener.name.tokene.oauthbearer.sasl.jaas.config=\ +org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ +publicKeyPath="/tmp/conf/public.pem"; + +confluent.metadata.server.token.max.lifetime.ms=3600000 +ldap.user.search.base=ou=people,dc=planetexpress,dc=com +confluent.metadata.server.ssl.truststore.password=confluent +confluent.metadata.server.ssl.keystore.location=/etc/kafka/secrets/mds.keystore.jks +confluent.metadata.server.advertised.listeners=https://broker:8090 +listener.name.external.ssl.principal.mapping.rules=RULE:^CN=([a-zA-Z0-9.]*).*$/kafka/ , DEFAULT +ldap.group.name.attribute=cn +broker.id=1 +confluent.metadata.server.authentication.method=BEARER +listener.name.internal.ssl.keystore.password=confluent +listener.name.internal.ssl.key.password=confluent +confluent.metadata.server.listeners=https://0.0.0.0:8090 +sasl.enabled.mechanisms=OAUTHBEARER +ldap.java.naming.security.authentication=simple +listener.name.internal.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +ldap.user.name.attribute=uid +advertised.listeners=INTERNAL://localhost:9093,EXTERNAL://localhost:9092,TOKEN://localhost:9094,TOKENE://thusnelda:9095 +listener.name.token.ssl.truststore.password=confluent +listener.name.tokene.ssl.keystore.location=/etc/kafka/secrets/thusnelda.keystore.jks +listener.name.internal.ssl.truststore.password=confluent +zookeeper.connect=zookeeper:2181 +ldap.group.object.class=group +listener.name.external.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +confluent.authorizer.access.rule.providers=CONFLUENT,ZK_ACL +super.users=User:admin;User:kafka;User:professor;User:ANONYMOUS +ldap.user.object.class=inetOrgPerson +inter.broker.listener.name=INTERNAL +listener.name.internal.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +ssl.client.auth=required +ldap.java.naming.provider.url=ldap://openldap:389 +listener.name.tokene.security.protocol=SSL +listener.name.tokene.ssl.key.password=confluent +confluent.metadata.server.token.signature.algorithm=RS256 +listener.name.token.security.protocol=SSL +listener.name.external.security.protocol=SSL +confluent.metadata.server.token.key.path=/tmp/conf/keypair.pem +ldap.java.naming.security.principal=cn=admin,dc=planetexpress,dc=com +listener.name.token.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler +ldap.group.search.base=ou=people,dc=planetexpress,dc=com +listener.name.token.oauthbearer.sasl.jaas.config=\ +org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ +publicKeyPath="/tmp/conf/public.pem"; + +confluent.schema.registry.url=https://schema-registry:8081 +listener.name.internal.ssl.principal.mapping.rules=RULE:^CN=([a-zA-Z0-9.]*).*$/$1/ , DEFAULT +authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer +confluent.metadata.topic.replication.factor=1 +confluent.metadata.server.ssl.keystore.password=confluent +listener.name.token.sasl.enabled.mechanisms=OAUTHBEARER +listener.name.tokene.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler +ldap.user.memberof.attribute=ou +metric.reporters=io.confluent.metrics.reporter.ConfluentMetricsReporter +confluent.metadata.server.authentication.roles=** +confluent.authorizer.group.provider=RBAC +listener.name.tokene.ssl.truststore.password=confluent +confluent.metadata.server.ssl.truststore.location=/etc/kafka/secrets/mds.truststore.jks +listener.name.token.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler +listener.name.external.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +confluent.metadata.server.ssl.key.password=confluent +listener.name.external.ssl.keystore.password=confluent +offsets.topic.replication.factor=1 +listener.name.external.ssl.truststore.password=confluent +ldap.com.sun.jndi.ldap.read.timeout=3000 +listener.name.internal.security.protocol=SSL +listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL,TOKEN:SASL_SSL,TOKENE:SASL_SSL +listener.name.external.ssl.key.password=confluent +listener.name.token.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +log.dirs=/var/lib/kafka/data +listener.name.tokene.ssl.truststore.location=/etc/kafka/secrets/thusnelda.truststore.jks +listeners=INTERNAL://0.0.0.0:9093,EXTERNAL://0.0.0.0:9092,TOKEN://0.0.0.0:9094,TOKENE://0.0.0.0:9095 +confluent.metadata.server.token.auth.enable=true +ldap.java.naming.security.credentials=GoodNewsEveryone +listener.name.token.ssl.key.password=confluent +ldap.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory +listener.name.token.ssl.keystore.password=confluent +confluent.metadata.server.openapi.enable=true +confluent.license.topic.replication.factor=1 +listener.name.tokene.sasl.enabled.mechanisms=OAUTHBEARER +listener.name.token.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +ssl.cipher.suites=TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +-%} + +confluent.metrics.reporter.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +confluent.metrics.reporter.topic.replicas=1 +confluent.metrics.reporter.ssl.keystore.password=confluent +confluent.metrics.reporter.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +confluent.metrics.reporter.ssl.truststore.password=confluent +confluent.metrics.reporter.ssl.key.password=confluent +confluent.metrics.reporter.bootstrap.servers=localhost:9093 +confluent.metrics.reporter.security.protocol=SSL diff --git a/docker/rbac-tls/kafka/log4j.properties b/docker/rbac-tls/kafka/log4j.properties new file mode 100644 index 000000000..13fb80ec2 --- /dev/null +++ b/docker/rbac-tls/kafka/log4j.properties @@ -0,0 +1,16 @@ + +log4j.rootLogger=DEBUG, stdout + +log4j.appender.stdout=org.apache.log4j.ConsoleAppender +log4j.appender.stdout.layout=org.apache.log4j.PatternLayout +log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n + + +log4j.logger.kafka.authorizer.logger=DEBUG +log4j.logger.kafka.log.LogCleaner=INFO +log4j.logger.kafka.producer.async.DefaultEventHandler=DEBUG +log4j.logger.kafka.controller=INFO +log4j.logger.kafka.network.RequestChannel$=WARN +log4j.logger.kafka.request.logger=WARN +log4j.logger.state.change.logger=TRACE +log4j.logger.kafka=INFO diff --git a/docker/rbac-tls/kafka/professor.properties b/docker/rbac-tls/kafka/professor.properties new file mode 100644 index 000000000..4b7cd2a21 --- /dev/null +++ b/docker/rbac-tls/kafka/professor.properties @@ -0,0 +1,10 @@ +sasl.mechanism=OAUTHBEARER +security.protocol=SASL_SSL +sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler +sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="professor" password="professor" metadataServerUrls="https://localhost:8090"; + + +ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +ssl.truststore.password=confluent +ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +ssl.keystore.password=confluent diff --git a/docker/rbac-tls/kafka/thusnelda.properties b/docker/rbac-tls/kafka/thusnelda.properties new file mode 100644 index 000000000..8a94a9d65 --- /dev/null +++ b/docker/rbac-tls/kafka/thusnelda.properties @@ -0,0 +1,9 @@ +sasl.mechanism=OAUTHBEARER +security.protocol=SASL_SSL +sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler +sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="professor" password="professor" metadataServerUrls="https://localhost:8090"; + +ssl.truststore.location=/etc/kafka/secrets/thusnelda.truststore.jks +ssl.truststore.password=confluent +ssl.keystore.location=/etc/kafka/secrets/thusnelda.keystore.jks +ssl.keystore.password=confluent diff --git a/docker/rbac-tls/kafka/tools-log4j.properties b/docker/rbac-tls/kafka/tools-log4j.properties new file mode 100644 index 000000000..a4b57e06d --- /dev/null +++ b/docker/rbac-tls/kafka/tools-log4j.properties @@ -0,0 +1,7 @@ + +log4j.rootLogger=WARN, stderr + +log4j.appender.stderr=org.apache.log4j.ConsoleAppender +log4j.appender.stderr.layout=org.apache.log4j.PatternLayout +log4j.appender.stderr.layout.ConversionPattern=[%d] %p %m (%c)%n +log4j.appender.stderr.Target=System.err \ No newline at end of file diff --git a/docker/rbac-tls/scripts/read-als-kafka.sh b/docker/rbac-tls/scripts/read-als-kafka.sh new file mode 100644 index 000000000..7540fef1b --- /dev/null +++ b/docker/rbac-tls/scripts/read-als-kafka.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-console-consumer --bootstrap-server broker:9092 \ + --topic test \ + --consumer.config /etc/kafka/client.properties --from-beginning diff --git a/docker/rbac-tls/scripts/read-als-professor.sh b/docker/rbac-tls/scripts/read-als-professor.sh new file mode 100644 index 000000000..62fe59dbf --- /dev/null +++ b/docker/rbac-tls/scripts/read-als-professor.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-console-consumer --bootstrap-server broker:9094 \ + --topic test \ + --consumer.config /etc/kafka/professor.properties --from-beginning diff --git a/docker/rbac-tls/scripts/read-als-thusnelda.sh b/docker/rbac-tls/scripts/read-als-thusnelda.sh new file mode 100644 index 000000000..dba2863ae --- /dev/null +++ b/docker/rbac-tls/scripts/read-als-thusnelda.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-console-consumer --bootstrap-server thusnelda:9095 \ + --topic test \ + --consumer.config /etc/kafka/thusnelda.properties --from-beginning diff --git a/docker/rbac-tls/scripts/write-als-kafka.sh b/docker/rbac-tls/scripts/write-als-kafka.sh new file mode 100644 index 000000000..8489659c1 --- /dev/null +++ b/docker/rbac-tls/scripts/write-als-kafka.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-console-producer --broker-list broker:9092 \ + --topic test \ + --producer.config /etc/kafka/client.properties diff --git a/docker/rbac-tls/scripts/write-als-professor.sh b/docker/rbac-tls/scripts/write-als-professor.sh new file mode 100644 index 000000000..18552be81 --- /dev/null +++ b/docker/rbac-tls/scripts/write-als-professor.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-console-producer --broker-list broker:9094 \ + --topic test \ + --producer.config /etc/kafka/professor.properties diff --git a/docker/rbac-tls/scripts/write-als-thusnelda.sh b/docker/rbac-tls/scripts/write-als-thusnelda.sh new file mode 100644 index 000000000..9c1a6b817 --- /dev/null +++ b/docker/rbac-tls/scripts/write-als-thusnelda.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-console-producer --broker-list thusnelda:9095 \ + --topic test-thusnelda \ + --producer.config /etc/kafka/thusnelda.properties diff --git a/docker/rbac-tls/show-kafka-id.sh b/docker/rbac-tls/show-kafka-id.sh new file mode 100644 index 000000000..5d86de617 --- /dev/null +++ b/docker/rbac-tls/show-kafka-id.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +################################## GET KAFKA CLUSTER ID ######################## +ZK_CONTAINER=zookeeper +ZK_PORT=2181 +echo "Retrieving Kafka cluster id from docker-container '$ZK_CONTAINER' port '$ZK_PORT'" +KAFKA_CLUSTER_ID=$(docker exec -it $ZK_CONTAINER zookeeper-shell localhost:$ZK_PORT get /cluster/id 2> /dev/null | grep \"version\" | jq -r .id) +if [ -z "$KAFKA_CLUSTER_ID" ]; then + echo "Failed to retrieve kafka cluster id from zookeeper" + exit 1 +fi + +echo $KAFKA_CLUSTER_ID diff --git a/docker/rbac-tls/start.sh b/docker/rbac-tls/start.sh new file mode 100755 index 000000000..b61b97060 --- /dev/null +++ b/docker/rbac-tls/start.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +docker-compose up -d broker diff --git a/docker/rbac-tls/streams/docker-compose.yaml b/docker/rbac-tls/streams/docker-compose.yaml new file mode 100644 index 000000000..957104914 --- /dev/null +++ b/docker/rbac-tls/streams/docker-compose.yaml @@ -0,0 +1,22 @@ +version: '3' +services: + + zookeeper: + image: confluentinc/cp-zookeeper:5.3.0 + hostname: zookeeper + container_name: zookeeper + ports: + - "2181:2181" + environment: + ZOOKEEPER_CLIENT_PORT: 2181 + ZOOKEEPER_TICK_TIME: 2000 + + kafka: + build: kafka/ + container_name: kafka + depends_on: + - zookeeper + ports: + - "9093:9093" + - "29093:29093" + command: ["kafka-server-start", "/etc/kafka/server.properties"] diff --git a/docker/rbac-tls/streams/kafka/Dockerfile b/docker/rbac-tls/streams/kafka/Dockerfile new file mode 100644 index 000000000..b3115c9b3 --- /dev/null +++ b/docker/rbac-tls/streams/kafka/Dockerfile @@ -0,0 +1,22 @@ +FROM centos +MAINTAINER seknop@gmail.com +ENV container docker + +# 1. Adding Confluent repository +RUN rpm --import https://packages.confluent.io/rpm/5.3/archive.key +COPY confluent.repo /etc/yum.repos.d/confluent.repo +RUN yum clean all + +# 2. Install zookeeper and kafka +RUN yum install -y java-1.8.0-openjdk +RUN yum install -y confluent-kafka-2.12 +RUN yum install -y confluent-security + + +# 3. Configure Kafka and zookeeper for Kerberos +COPY server.properties /etc/kafka/server.properties + + +EXPOSE 9093 + +CMD kafka-server-start /etc/kafka/server.properties diff --git a/docker/rbac-tls/streams/kafka/confluent.repo b/docker/rbac-tls/streams/kafka/confluent.repo new file mode 100644 index 000000000..6fccc712b --- /dev/null +++ b/docker/rbac-tls/streams/kafka/confluent.repo @@ -0,0 +1,13 @@ +[Confluent.dist] +name=Confluent repository (dist) +baseurl=https://packages.confluent.io/rpm/5.3/7 +gpgcheck=1 +gpgkey=https://packages.confluent.io/rpm/5.3/archive.key +enabled=1 + +[Confluent] +name=Confluent repository +baseurl=https://packages.confluent.io/rpm/5.3 +gpgcheck=1 +gpgkey=https://packages.confluent.io/rpm/5.3/archive.key +enabled=1 diff --git a/docker/rbac-tls/streams/kafka/log4j.properties b/docker/rbac-tls/streams/kafka/log4j.properties new file mode 100644 index 000000000..d6cf8ff0f --- /dev/null +++ b/docker/rbac-tls/streams/kafka/log4j.properties @@ -0,0 +1,102 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Unspecified loggers and loggers with additivity=true output to server.log and stdout +# Note that INFO only applies to unspecified loggers, the log level of the child logger is used otherwise +# Sven is here! +log4j.rootLogger=INFO, stdout, kafkaAppender + +log4j.appender.stdout=org.apache.log4j.ConsoleAppender +log4j.appender.stdout.layout=org.apache.log4j.PatternLayout +log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.kafkaAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.kafkaAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.kafkaAppender.File=${kafka.logs.dir}/server.log +log4j.appender.kafkaAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.kafkaAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.stateChangeAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.stateChangeAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.stateChangeAppender.File=${kafka.logs.dir}/state-change.log +log4j.appender.stateChangeAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.stateChangeAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.requestAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.requestAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.requestAppender.File=${kafka.logs.dir}/kafka-request.log +log4j.appender.requestAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.requestAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.cleanerAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.cleanerAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.cleanerAppender.File=${kafka.logs.dir}/log-cleaner.log +log4j.appender.cleanerAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.cleanerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.controllerAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.controllerAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.controllerAppender.File=${kafka.logs.dir}/controller.log +log4j.appender.controllerAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.controllerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.authorizerAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.authorizerAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.authorizerAppender.File=${kafka.logs.dir}/kafka-authorizer.log +log4j.appender.authorizerAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.authorizerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.ldapAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.ldapAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.ldapAppender.File=${kafka.logs.dir}/kafka-ldap.log +log4j.appender.ldapAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.ldapAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +# Change the two lines below to adjust ZK client logging +log4j.logger.org.I0Itec.zkclient.ZkClient=INFO +log4j.logger.org.apache.zookeeper=INFO + +# Change the two lines below to adjust the general broker logging level (output to server.log and stdout) +log4j.logger.kafka=INFO +log4j.logger.org.apache.kafka=INFO + +# Change to DEBUG or TRACE to enable request logging +log4j.logger.kafka.request.logger=WARN, requestAppender +log4j.additivity.kafka.request.logger=false + +# Uncomment the lines below and change log4j.logger.kafka.network.RequestChannel$ to TRACE for additional output +# related to the handling of requests +#log4j.logger.kafka.network.Processor=TRACE, requestAppender +#log4j.logger.kafka.server.KafkaApis=TRACE, requestAppender +#log4j.additivity.kafka.server.KafkaApis=false +log4j.logger.kafka.network.RequestChannel$=WARN, requestAppender +log4j.additivity.kafka.network.RequestChannel$=false + +log4j.logger.kafka.controller=TRACE, controllerAppender +log4j.additivity.kafka.controller=false + +log4j.logger.kafka.log.LogCleaner=INFO, cleanerAppender +log4j.additivity.kafka.log.LogCleaner=false + +log4j.logger.state.change.logger=TRACE, stateChangeAppender +log4j.additivity.state.change.logger=false + +# Access denials are logged at INFO level, change to DEBUG to also log allowed accesses +log4j.logger.kafka.authorizer.logger=DEBUG, authorizerAppender +log4j.additivity.kafka.authorizer.logger=false + +# Experimental, add logging for LDAP +log4j.logger.io.confluent.kafka.security.ldap.authorizer.LdapGroupManager=TRACE, ldapAppender + diff --git a/docker/rbac-tls/streams/kafka/server-with-ssl.properties b/docker/rbac-tls/streams/kafka/server-with-ssl.properties new file mode 100644 index 000000000..369837415 --- /dev/null +++ b/docker/rbac-tls/streams/kafka/server-with-ssl.properties @@ -0,0 +1,218 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# see kafka.server.KafkaConfig for additional details and defaults + +############################# Server Basics ############################# + +# The id of the broker. This must be set to a unique integer for each broker. +broker.id=0 + +############################# Socket Server Settings ############################# + +# The address the socket server listens on. It will get the value returned from +# java.net.InetAddress.getCanonicalHostName() if not configured. +# FORMAT: +# listeners = listener_name://host_name:port +# EXAMPLE: +# listeners = PLAINTEXT://your.host.name:9092 +listeners=SASL_PLAINTEXT://kafka:9093 + +# Hostname and port the broker will advertise to producers and consumers. If not set, +# it uses the value for "listeners" if configured. Otherwise, it will use the value +# returned from java.net.InetAddress.getCanonicalHostName(). +advertised.listeners=SASL_PLAINTEXT://kafka:9093 + +# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details +#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL + +security.inter.broker.protocol=SASL_PLAINTEXT + +# The number of threads that the server uses for receiving requests from the network and sending responses to the network +num.network.threads=3 + +# The number of threads that the server uses for processing requests, which may include disk I/O +num.io.threads=8 + +# The send buffer (SO_SNDBUF) used by the socket server +socket.send.buffer.bytes=102400 + +# The receive buffer (SO_RCVBUF) used by the socket server +socket.receive.buffer.bytes=102400 + +# The maximum size of a request that the socket server will accept (protection against OOM) +socket.request.max.bytes=104857600 + + +############################# Log Basics ############################# + +# A comma separated list of directories under which to store log files +log.dirs=/var/lib/kafka + +# The default number of log partitions per topic. More partitions allow greater +# parallelism for consumption, but this will also result in more files across +# the brokers. +num.partitions=1 + +# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown. +# This value is recommended to be increased for installations with data dirs located in RAID array. +num.recovery.threads.per.data.dir=1 + +############################# Internal Topic Settings ############################# +# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state" +# For anything other than development testing, a value greater than 1 is recommended for to ensure availability such as 3. +offsets.topic.replication.factor=1 +transaction.state.log.replication.factor=1 +transaction.state.log.min.isr=1 + +############################# Log Flush Policy ############################# + +# Messages are immediately written to the filesystem but by default we only fsync() to sync +# the OS cache lazily. The following configurations control the flush of data to disk. +# There are a few important trade-offs here: +# 1. Durability: Unflushed data may be lost if you are not using replication. +# 2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush. +# 3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks. +# The settings below allow one to configure the flush policy to flush data after a period of time or +# every N messages (or both). This can be done globally and overridden on a per-topic basis. + +# The number of messages to accept before forcing a flush of data to disk +#log.flush.interval.messages=10000 + +# The maximum amount of time a message can sit in a log before we force a flush +#log.flush.interval.ms=1000 + +############################# Log Retention Policy ############################# + +# The following configurations control the disposal of log segments. The policy can +# be set to delete segments after a period of time, or after a given size has accumulated. +# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens +# from the end of the log. + +# The minimum age of a log file to be eligible for deletion due to age +log.retention.hours=168 + +# A size-based retention policy for logs. Segments are pruned from the log unless the remaining +# segments drop below log.retention.bytes. Functions independently of log.retention.hours. +#log.retention.bytes=1073741824 + +# The maximum size of a log segment file. When this size is reached a new log segment will be created. +log.segment.bytes=1073741824 + +# The interval at which log segments are checked to see if they can be deleted according +# to the retention policies +log.retention.check.interval.ms=300000 + +############################# Zookeeper ############################# + +# Zookeeper connection string (see zookeeper docs for details). +# This is a comma separated host:port pairs, each corresponding to a zk +# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002". +# You can also append an optional chroot string to the urls to specify the +# root directory for all kafka znodes. +zookeeper.connect=zookeeper:2181 + +# Timeout in ms for connecting to zookeeper +zookeeper.connection.timeout.ms=6000 + +##################### Confluent Metrics Reporter ####################### +# Confluent Control Center and Confluent Auto Data Balancer integration +# +# Uncomment the following lines to publish monitoring data for +# Confluent Control Center and Confluent Auto Data Balancer +# If you are using a dedicated metrics cluster, also adjust the settings +# to point to your metrics kakfa cluster. +#metric.reporters=io.confluent.metrics.reporter.ConfluentMetricsReporter +#confluent.metrics.reporter.bootstrap.servers=localhost:9092 +# +# Uncomment the following line if the metrics cluster has a single broker +#confluent.metrics.reporter.topic.replicas=1 + +##################### Confluent Proactive Support ###################### +# If set to true, and confluent-support-metrics package is installed +# then the feature to collect and report support metrics +# ("Metrics") is enabled. If set to false, the feature is disabled. +# +confluent.support.metrics.enable=false + + +# The customer ID under which support metrics will be collected and +# reported. +# +# When the customer ID is set to "anonymous" (the default), then only a +# reduced set of metrics is being collected and reported. +# +# Confluent customers +# ------------------- +# If you are a Confluent customer, then you should replace the default +# value with your actual Confluent customer ID. Doing so will ensure +# that additional support metrics will be collected and reported. +# +confluent.support.customer.id=anonymous + +############################# Group Coordinator Settings ############################# + +# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance. +# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms. +# The default value for this is 3 seconds. +# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing. +# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup. +group.initial.rebalance.delay.ms=0 + + +# SASL Configuration +sasl.enabled.mechanisms=SCRAM-SHA-256 +sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256 +security.inter.broker.protocol=SASL_PLAINTEXT +allow.everyone.if.no.acl.found=false +super.users=User:kafka +authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer + +# Configure authorizer +authorizer.class.name=io.confluent.kafka.security.ldap.authorizer.LdapAuthorizer +# LDAP provider URL +ldap.authorizer.java.naming.provider.url=ldaps://ldap:636/DC=CONFLUENT,DC=IO +# Refresh interval for LDAP cache. If set to zero, persistent search is used. +ldap.authorizer.refresh.interval.ms=60000 + +# Lets see if we can connect with TLS to our LDAP server +ldap.authorizer.java.naming.security.principal=cn=admin,dc=confluent,dc=io +ldap.authorizer.java.naming.security.credentials=admin + +ldap.authorizer.java.naming.security.protocol=SSL +ldap.authorizer.ssl.keystore.location=/etc/kafka/jks/ldap.keystore.jks +ldap.authorizer.ssl.keystore.password=confluent + +ldap.authorizer.ssl.truststore.location=/etc/kafka/jks/ldap.truststore.jks +ldap.authorizer.ssl.truststore.password=confluent + +# Search base for group-based search +#ldap.authorizer.group.search.base=ou=groups,dc=confluent,dc=io + +# Remember that LDAP works in a context. The search base is ou=groups,dc=confluent,dc=io +# But since my URL is ldap://ldap:389/DC=CONFLUENT,DC=IO, we are already working in the dc=confluent,dc=io context +ldap.authorizer.group.search.base=ou=groups + +# Object class for groups +ldap.authorizer.group.object.class=posixGroup +ldap.authorizer.group.search.scope=2 +# Name of the attribute from which group name used in ACLs is obtained +ldap.authorizer.group.name.attribute=cn +# Regex pattern to obtain group name used in ACLs from the attribute `ldap.authorizer.group.name.attribute` +ldap.authorizer.group.name.attribute.pattern= +# Name of the attribute from which group members (user principals) are obtained +ldap.authorizer.group.member.attribute=memberUid +# Regex pattern to obtain user principal from group member attribute +ldap.authorizer.group.member.attribute.pattern=cn=(.*),ou=users,dc=confluent,dc=io diff --git a/docker/rbac-tls/streams/kafka/server.properties b/docker/rbac-tls/streams/kafka/server.properties new file mode 100644 index 000000000..2ee5193ae --- /dev/null +++ b/docker/rbac-tls/streams/kafka/server.properties @@ -0,0 +1,182 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# see kafka.server.KafkaConfig for additional details and defaults + +############################# Server Basics ############################# + +# The id of the broker. This must be set to a unique integer for each broker. +broker.id=0 + +############################# Socket Server Settings ############################# + +# The address the socket server listens on. It will get the value returned from +# java.net.InetAddress.getCanonicalHostName() if not configured. +# FORMAT: +# listeners = listener_name://host_name:port +# EXAMPLE: +# listeners = PLAINTEXT://your.host.name:9092 +listeners=PLAINTEXT://kafka:9093,LOCAL_PLAINTEXT://:29093 + +# Hostname and port the broker will advertise to producers and consumers. If not set, +# it uses the value for "listeners" if configured. Otherwise, it will use the value +# returned from java.net.InetAddress.getCanonicalHostName(). +advertised.listeners=PLAINTEXT://kafka:9093,LOCAL_PLAINTEXT://localhost:29093 + +# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details +#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL +listener.security.protocol.map=LOCAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT + +security.inter.broker.protocol=PLAINTEXT + +# The number of threads that the server uses for receiving requests from the network and sending responses to the network +num.network.threads=3 + +# The number of threads that the server uses for processing requests, which may include disk I/O +num.io.threads=8 + +# The send buffer (SO_SNDBUF) used by the socket server +socket.send.buffer.bytes=102400 + +# The receive buffer (SO_RCVBUF) used by the socket server +socket.receive.buffer.bytes=102400 + +# The maximum size of a request that the socket server will accept (protection against OOM) +socket.request.max.bytes=104857600 + + +############################# Log Basics ############################# + +# A comma separated list of directories under which to store log files +log.dirs=/var/lib/kafka + +# The default number of log partitions per topic. More partitions allow greater +# parallelism for consumption, but this will also result in more files across +# the brokers. +num.partitions=1 + +# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown. +# This value is recommended to be increased for installations with data dirs located in RAID array. +num.recovery.threads.per.data.dir=1 + +############################# Internal Topic Settings ############################# +# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state" +# For anything other than development testing, a value greater than 1 is recommended for to ensure availability such as 3. +offsets.topic.replication.factor=1 +transaction.state.log.replication.factor=1 +transaction.state.log.min.isr=1 + +############################# Log Flush Policy ############################# + +# Messages are immediately written to the filesystem but by default we only fsync() to sync +# the OS cache lazily. The following configurations control the flush of data to disk. +# There are a few important trade-offs here: +# 1. Durability: Unflushed data may be lost if you are not using replication. +# 2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush. +# 3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks. +# The settings below allow one to configure the flush policy to flush data after a period of time or +# every N messages (or both). This can be done globally and overridden on a per-topic basis. + +# The number of messages to accept before forcing a flush of data to disk +#log.flush.interval.messages=10000 + +# The maximum amount of time a message can sit in a log before we force a flush +#log.flush.interval.ms=1000 + +############################# Log Retention Policy ############################# + +# The following configurations control the disposal of log segments. The policy can +# be set to delete segments after a period of time, or after a given size has accumulated. +# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens +# from the end of the log. + +# The minimum age of a log file to be eligible for deletion due to age +log.retention.hours=168 + +# A size-based retention policy for logs. Segments are pruned from the log unless the remaining +# segments drop below log.retention.bytes. Functions independently of log.retention.hours. +#log.retention.bytes=1073741824 + +# The maximum size of a log segment file. When this size is reached a new log segment will be created. +log.segment.bytes=1073741824 + +# The interval at which log segments are checked to see if they can be deleted according +# to the retention policies +log.retention.check.interval.ms=300000 + +############################# Zookeeper ############################# + +# Zookeeper connection string (see zookeeper docs for details). +# This is a comma separated host:port pairs, each corresponding to a zk +# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002". +# You can also append an optional chroot string to the urls to specify the +# root directory for all kafka znodes. +zookeeper.connect=zookeeper:2181 + +# Timeout in ms for connecting to zookeeper +zookeeper.connection.timeout.ms=6000 + +##################### Confluent Metrics Reporter ####################### +# Confluent Control Center and Confluent Auto Data Balancer integration +# +# Uncomment the following lines to publish monitoring data for +# Confluent Control Center and Confluent Auto Data Balancer +# If you are using a dedicated metrics cluster, also adjust the settings +# to point to your metrics kakfa cluster. +#metric.reporters=io.confluent.metrics.reporter.ConfluentMetricsReporter +#confluent.metrics.reporter.bootstrap.servers=localhost:9092 +# +# Uncomment the following line if the metrics cluster has a single broker +#confluent.metrics.reporter.topic.replicas=1 + +##################### Confluent Proactive Support ###################### +# If set to true, and confluent-support-metrics package is installed +# then the feature to collect and report support metrics +# ("Metrics") is enabled. If set to false, the feature is disabled. +# +confluent.support.metrics.enable=false + + +# The customer ID under which support metrics will be collected and +# reported. +# +# When the customer ID is set to "anonymous" (the default), then only a +# reduced set of metrics is being collected and reported. +# +# Confluent customers +# ------------------- +# If you are a Confluent customer, then you should replace the default +# value with your actual Confluent customer ID. Doing so will ensure +# that additional support metrics will be collected and reported. +# +confluent.support.customer.id=anonymous + +############################# Group Coordinator Settings ############################# + +# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance. +# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms. +# The default value for this is 3 seconds. +# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing. +# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup. +group.initial.rebalance.delay.ms=0 + + +# SASL Configuration +#sasl.enabled.mechanisms=SCRAM-SHA-256 +#sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256 +#security.inter.broker.protocol=SASL_PLAINTEXT +#allow.everyone.if.no.acl.found=false +#super.users=User:kafka +authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer diff --git a/docker/rbac-tls/streams/scripts/.gitignore b/docker/rbac-tls/streams/scripts/.gitignore new file mode 100644 index 000000000..34d510852 --- /dev/null +++ b/docker/rbac-tls/streams/scripts/.gitignore @@ -0,0 +1,9 @@ +*.crt +*.csr +*_creds +*.jks +*.srl +*.key +*.pem +*.der +*.p12 diff --git a/docker/rbac-tls/streams/scripts/certs-create.sh b/docker/rbac-tls/streams/scripts/certs-create.sh new file mode 100755 index 000000000..1035968d3 --- /dev/null +++ b/docker/rbac-tls/streams/scripts/certs-create.sh @@ -0,0 +1,74 @@ +#!/bin/bash + +#set -o nounset \ +# -o errexit \ +# -o verbose \ +# -o xtrace + +# Cleanup files +rm -f *.crt *.csr *_creds *.jks *.srl *.key *.pem *.der *.p12 + +# Generate CA key +openssl req -new -x509 -keyout snakeoil-ca-1.key -out snakeoil-ca-1.crt -days 365 -subj '/CN=ca1.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/S=Ca/C=US' -passin pass:confluent -passout pass:confluent + +for i in kafka ldap +do + echo "------------------------------- $i -------------------------------" + + # Create host keystore + keytool -genkey -noprompt \ + -alias $i \ + -dname "CN=$i,OU=TEST,O=CONFLUENT,L=PaloAlto,S=Ca,C=US" \ + -ext "SAN=dns:$i,dns:localhost" \ + -keystore kafka.$i.keystore.jks \ + -keyalg RSA \ + -storepass confluent \ + -keypass confluent + + # Create the certificate signing request (CSR) + keytool -keystore kafka.$i.keystore.jks -alias $i -certreq -file $i.csr -storepass confluent -keypass confluent -ext "SAN=dns:$i,dns:localhost" + #openssl req -in $i.csr -text -noout + + # Sign the host certificate with the certificate authority (CA) + openssl x509 -req -CA snakeoil-ca-1.crt -CAkey snakeoil-ca-1.key -in $i.csr -out $i-ca1-signed.crt -days 9999 -CAcreateserial -passin pass:confluent -extensions v3_req -extfile <(cat < ${i}_sslkey_creds + echo "confluent" > ${i}_keystore_creds + echo "confluent" > ${i}_truststore_creds + + # Create pem files and keys used for Schema Registry HTTPS testing + # openssl x509 -noout -modulus -in client.certificate.pem | openssl md5 + # openssl rsa -noout -modulus -in client.key | openssl md5 + # echo "GET /" | openssl s_client -connect localhost:8085/subjects -cert client.certificate.pem -key client.key -tls1 + keytool -export -alias $i -file $i.der -keystore kafka.$i.keystore.jks -storepass confluent + openssl x509 -inform der -in $i.der -out $i.certificate.pem + keytool -importkeystore -srckeystore kafka.$i.keystore.jks -destkeystore $i.keystore.p12 -deststoretype PKCS12 -deststorepass confluent -srcstorepass confluent -noprompt + openssl pkcs12 -in $i.keystore.p12 -nodes -nocerts -out $i.key -passin pass:confluent + +done diff --git a/docker/rbac-tls/streams/up b/docker/rbac-tls/streams/up new file mode 100755 index 000000000..e591bc804 --- /dev/null +++ b/docker/rbac-tls/streams/up @@ -0,0 +1,67 @@ +#!/bin/sh + +usage() { echo "Usage: $0 [--ssl] " 1>&2; exit 1; } + +ssl=0 +while getopts ":s-:" opt; do + case $opt in + -) + case "${OPTARG}" in + ssl) + ssl=1 + ;; + *) + usage + exit 1 + ;; + esac;; + *) + usage + exit 1 + ;; + esac +done + +## Select to run with security or not + +DOCKER_COMPOSE_FILE="$PWD/docker-compose.yaml" + +if [ $ssl -eq 1 ]; then + echo "Running with SSL enabled between the brokers and the LDAP server" + # Generate the certificates + cd scripts + ./certs-create.sh + + ## Copy the necessary broker JKS stores + cp kafka.kafka.keystore.jks ../kafka/jks/ldap.keystore.jks + cp kafka.kafka.truststore.jks ../kafka/jks/ldap.truststore.jks + + ## copy the LDAP server certificates + cp ldap-ca1-signed.crt ../ldap/certs/my-ldap.crt + cp ldap.key ../ldap/certs/my-ldap.key + cp snakeoil-ca-1.crt ../ldap/certs/my-ca.crt + cd .. + DOCKER_COMPOSE_FILE="$PWD/docker-compose-with-ssl.yaml" +fi + +## start docker-compose up to and including kafka +docker-compose -f $DOCKER_COMPOSE_FILE up -d --build kafka + +# Creating the users +# kafka is configured as a super user +docker-compose exec kafka kafka-configs --zookeeper zookeeper:2181 --alter --add-config 'SCRAM-SHA-256=[password=kafka],SCRAM-SHA-512=[password=kafka]' --entity-type users --entity-name kafka +docker-compose exec kafka kafka-configs --zookeeper zookeeper:2181 --alter --add-config 'SCRAM-SHA-256=[password=alice-secret],SCRAM-SHA-512=[password=alice-secret]' --entity-type users --entity-name alice +docker-compose exec kafka kafka-configs --zookeeper zookeeper:2181 --alter --add-config 'SCRAM-SHA-256=[password=barnie-secret],SCRAM-SHA-512=[password=barnie-secret]' --entity-type users --entity-name barnie +docker-compose exec kafka kafka-configs --zookeeper zookeeper:2181 --alter --add-config 'SCRAM-SHA-256=[password=charlie-secret],SCRAM-SHA-512=[password=charlie-secret]' --entity-type users --entity-name charlie + +docker-compose up -d + +echo "Example configuration:" +echo "Should succeed (barnie is in group)" +echo "-> docker-compose exec kafka kafka-console-producer --broker-list kafka:9093 --topic test-topic --producer.config=/etc/kafka/barnie.properties" +echo "Should fail (charlie is NOT in group)" +echo "-> docker-compose exec kafka kafka-console-producer --broker-list kafka:9093 --topic test-topic --producer.config=/etc/kafka/charlie.properties" +echo "Should succeed (alice is in group)" +echo "-> docker-compose exec kafka kafka-console-consumer --bootstrap-server kafka:9093 --consumer.config /etc/kafka/alice.properties --topic test-topic --from-beginning" +echo "List ACLs" +echo "-> docker-compose exec kafka kafka-acls --bootstrap-server kafka:9093 --list --command-config /etc/kafka/kafka.properties" diff --git a/docker/tls/.gitignore b/docker/tls/.gitignore index b2290143a..93786be76 100644 --- a/docker/tls/.gitignore +++ b/docker/tls/.gitignore @@ -1 +1 @@ -certs +../rbac-sasl/certs diff --git a/example/jks/client.keystore.jks b/example/jks/client.keystore.jks new file mode 100644 index 000000000..6e70b0c3b Binary files /dev/null and b/example/jks/client.keystore.jks differ diff --git a/example/jks/client.truststore.jks b/example/jks/client.truststore.jks new file mode 100644 index 000000000..89bb13651 Binary files /dev/null and b/example/jks/client.truststore.jks differ diff --git a/example/topology-builder-rbac-oauth.properties b/example/topology-builder-rbac-oauth.properties new file mode 100644 index 000000000..eddf784d8 --- /dev/null +++ b/example/topology-builder-rbac-oauth.properties @@ -0,0 +1,19 @@ +topology.builder.access.control.class = com.purbon.kafka.topology.roles.RBACProvider +topology.builder.mds.server = https://localhost:8090 +topology.builder.mds.user = professor +topology.builder.mds.password = professor +topology.builder.mds.kafka.cluster.id = 1hhVhHb9TsSRZPxSBupKjw + +topology.builder.mds.schema.registry.cluster.id = schema-registry-cluster +topology.builder.mds.kafka.connect.cluster.id = connect-cluster + +#ssl.endpoint.identification.algorithm= + +security.protocol=SASL_SSL +ssl.truststore.location=example/jks/client.truststore.jks +ssl.truststore.password=confluent +ssl.keystore.location=example/jks/client.keystore.jks +ssl.keystore.password=confluent +sasl.mechanism=OAUTHBEARER +sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler +sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="professor" password="professor" metadataServerUrls="https://localhost:8090"; \ No newline at end of file diff --git a/example/topology-builder-rbac-tls.properties b/example/topology-builder-rbac-tls.properties new file mode 100644 index 000000000..d55e19101 --- /dev/null +++ b/example/topology-builder-rbac-tls.properties @@ -0,0 +1,17 @@ +topology.builder.access.control.class = com.purbon.kafka.topology.roles.RBACProvider +topology.builder.mds.server = https://localhost:8090 +topology.builder.mds.user = professor +topology.builder.mds.password = professor +topology.builder.mds.kafka.cluster.id = 1hhVhHb9TsSRZPxSBupKjw + +topology.builder.mds.schema.registry.cluster.id = schema-registry-cluster +topology.builder.mds.kafka.connect.cluster.id = connect-cluster + +security.protocol=SSL +#ssl.truststore.location=/Users/pere/work/gitops/kafka-topology-builder/example/jks/client.truststore.jks +ssl.truststore.location=/example/jks/client.truststore.jks +ssl.truststore.password=confluent +#ssl.keystore.location=/Users/pere/work/gitops/kafka-topology-builder/example/jks/client.keystore.jks +ssl.keystore.location=/example/jks/client.keystore.jks +ssl.keystore.password=confluent +ssl.endpoint.identification.algorithm= \ No newline at end of file diff --git a/pom.xml b/pom.xml index 55002e9cd..04dda20d3 100644 --- a/pom.xml +++ b/pom.xml @@ -423,7 +423,6 @@ 2.22.2 2.12.1 - 2.7.0 2.13.3 3.5.7 1.4 @@ -497,12 +496,12 @@ org.apache.kafka kafka-clients - ${kafka.version} + ${confluent-ce.version} org.apache.kafka kafka-streams - ${kafka.version} + ${confluent-ce.version} test diff --git a/src/test/java/com/purbon/kafka/topology/integration/RBACPRoviderRbacIT.java b/src/test/java/com/purbon/kafka/topology/integration/RBACPRoviderRbacIT.java index 4ca4fccaa..0de130056 100644 --- a/src/test/java/com/purbon/kafka/topology/integration/RBACPRoviderRbacIT.java +++ b/src/test/java/com/purbon/kafka/topology/integration/RBACPRoviderRbacIT.java @@ -313,6 +313,7 @@ public void testRoleDeleteFlow() throws IOException { Properties props = new Properties(); props.put(TOPOLOGY_STATE_FROM_CLUSTER, true); props.put(ALLOW_DELETE_TOPICS, true); + props.put(ALLOW_DELETE_BINDINGS, true); HashMap cliOps = new HashMap<>(); cliOps.put(BROKERS_OPTION, "");