Also available as:
loading table of contents...

Using Fastcapa in a Kerberized Environment

The Fastcapa probe can be used in a Kerberized environment. Follow these additional steps to use Fastcapa with Kerberos. The following assumptions have been made. These might need to be altered to fit your environment.

  • The Kafka broker is at kafka1:6667

  • ZooKeeper is at zookeeper1:2181

  • The Kafka security protocol is SASL_PLAINTEXT

  • The keytab used is located at /etc/security/keytabs/metron.headless.keytab

  • The service principal is metron@EXAMPLE.COM

  1. Build Librdkafka with SASL support (--enable-sasl).

    wget  -O - | tar -xz
    cd librdkafka-0.9.4/
    ./configure --prefix=$RDK_PREFIX --enable-sasl
    make install
  2. Validate Librdkafka supports SASL. Run the following command and ensure that sasl is returned as a built-in feature.

    $ examples/rdkafka_example -X builtin.features
    builtin.features = gzip,snappy,ssl,sasl,regex

    If it is not, ensure that you have libsasl or libsasl2 installed. On CentOS, this can be installed with the following command.

    yum install -y cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi
  3. Grant access to your Kafka topic. In this example, the Kafka topic is simply named pcap.

    $KAFKA_HOME/bin/ --authorizer \
      --authorizer-properties zookeeper.connect=zookeeper1:2181 \
      --add --allow-principal User:metron --topic pcap
  4. Obtain a Kerberos ticket.

    kinit -kt /etc/security/keytabs/metron.headless.keytab metron@EXAMPLE.COM
  5. Add the following additional configuration values to your Fastcapa configuration file.

    security.protocol = SASL_PLAINTEXT
    sasl.kerberos.keytab = /etc/security/keytabs/metron.headless.keytab
    sasl.kerberos.principal = metron@EXAMPLE.COM
  6. Now run Fastcapa as you normally would. It should have no problem landing packets in your kerberized Kafka broker.