Using Kafka with LDAP and Open Policy Agent #1205
grosswilerp
started this conversation in
General
Replies: 1 comment 2 replies
-
It's not possible for now. This is a major rework to handle that case, not really sure it will be possible to handle it (for sure shortly even in long term) |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi @tchiotludo.
I was following this tutorial:
https://github.com/instaclustr/kafka-ldap-integration/blob/master/docs/index.md
And set up everything accordingly.
At last, I was replacing the AclAuthorizer class with the Open Policy Agent since I would like to do authorization with it instead.
authorizer.class.name=org.openpolicyagent.kafka.OpaAuthorizer
This works fine for producers and consumers with their specific JAAS configuration.
Now I wanted to use AKHQ as well, however I noticed that after authenticating with LDAP, it then connects to Kafka with the hardcoded user in the configuration (in this case
srvkafkabroker
):That means that Open Policy Agent can not really do any authorization on a per user basis since it is always looking up for
srvkafkabroker
only.I was wondering if there is a different way to solve this issue, or if I am doing something wrong. Or is there a way that after authenticating in AKHQ via LDAP, that username and password is then also being used to connect to Kafka?
Maybe by replacing some variables in the config dynamically with the logged in user in AKHQ:
sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username="{0}" password="{1}";
Any help or suggestions are welcome.
Here is the link to Open Policy Agent for Kafka Authorization:
https://www.openpolicyagent.org/docs/latest/kafka-authorization/
Beta Was this translation helpful? Give feedback.
All reactions