We have a customer who is successfully implementing impersonation on a Kafka topic using a combination of SSL and JAAS. We need to verify these settings internally, but we can state that we know of at least one customer using impersonation successfully in a production setting using these settings:
These should work using either the Kafka Consumer or Kafka Multitopic Consumer:
Configuration Properties:
Property | Value |
ssl.truststore.location | ${truststorelocation} |
ssl.truststore.password | ${truststorepassword} |
sasl.kerberos.service.name | kafka |
sasl.mechanism | GSSAPI |
security.protocol | SASL_SSL |
auto.offset.reset | earliest |
sasl.jaas.config | com.sun.security.auth.module.Krb5LoginModule required doNotPrompt="true" useKeyTab="true" storeKey="true" useTicketCache="true" servicename="kafka" renewTicket="true" keyTab=${keytab} principal=${principal} client="true"; |