Kerberos Support - Access Module

Teradata® Tools and Utilities Access Module Reference
Product
Access Module
Release Number
17.10
Published
October 2021
Language
English (United States)
Last Update
2021-11-02
dita:mapPath
uur1608578381725.ditamap
dita:ditavalPath
obe1474387269547.ditaval
dita:id
B035-2425
lifecycle
previous
Product Category
Teradata Tools and Utilities

Teradata Access Module for Kafka can be used to export data from, and to import data to, a Kerberized Kafka cluster.

Example – Using AccessModuleKafka on Unix platforms to interact with a Kerberized Kafka cluster

  1. Add the Zookeeper server, Kafka server, and Kafka client machine to the Kerberos domain.
  2. Add ZOOKEEPER_HOST, KAFKA_HOST, CLIENT_HOST, both as host and AD users.

    Add root or any common user in the above machines as an AD user.

  3. Add the SPN's for the Zookeeper server, the Kafka server, and Kafka client.
    setspn -S zookeeper/${ZOOKEEPER_HOST_FQDN}@${REALM} ${ZOOKEEPER_HOST}
setspn -S kafka/${KAFKA_HOST_FQDN}@${REALM} ${KAFKA_HOST}
setspn -S ${CLIENT_NAME}/${CLIENT_HOST_FQDN}@${REALM} ${CLIENT_HOST}
  4. Generate the keytab files.
    ktpass -princ zookeeper/${ZOOKEEPER_HOST_FQDN}@${REALM} -mapuser ${ZOOKEEPER_HOST} 
-pass ${PASSWORD} -mapOp set -ptype KRB5_NT_PRINCIPAL -out zookeeper.keytab

ktpass -princ kafka/${KAFKA_HOST_FQDN}@${REALM} -mapuser ${KAFKA_HOST} 
-pass ${PASSWORD} -mapOp set -ptype KRB5_NT_PRINCIPAL -out kafkaserver.keytab

ktpass -princ ${CLIENT_NAME}/${CLIENT_HOST_FQDN}@${REALM} -mapuser ${CLIENT_HOST} 
-pass ${PASSWORD} -mapOp set -ptype KRB5_NT_PRINCIPAL -out ${CLIENT_HOST}.keytab
    Where:
    • REALM – Kerberos realm
    • CLIENT_NAME – Client name. For example, "kafkaclient"
    • ZOOKEEPER_HOST – Name of the machine where the Zookeeper server runs
    • KAFKA_HOST – Name of the machine where the Kafka server runs
    • CLIENT_HOST – Client hostname; where the client application runs
    • ZOOKEEPER_HOST_FQDN – Fully qualified domain name of the Zookeeper server
    • KAFKA_HOST_FQDN – Fully qualified domain name of the Kafka server
    • CLIENT_HOST_FQDN – Fully qualified domain name of the client
  5. Do the following:
    1. Copy the keytab files to the corresponding machines at /etc/security/keytabs.
    2. Update the zookeeper keytab file location in the zookeeper_server_jaas.conf file
    3. Update the kafkaserver keytab file location in the kafka_server_jaas.conf file.
    4. Start the Zookeeper and Kafka servers.
  6. Include the following parameters in the initialization string:
    • -B HOST@REALM:<<portno>>
    • -X security.protocol=SASL_PLAINTEXT
    • -X sasl.kerberos.keytab=/etc/security/keytabs/${CLIENT_HOST}.keytab
    • -X sasl.kerberos.principal=${CLIENT_NAME}/${CLIENT_HOST_FQDN}
    Example producer job:
    AccessModuleInitStr = '-M P -T <<topic-name>> -B HOST@REALM:<<portno>> -P 0 -X security.protocol=SASL_PLAINTEXT 
-X sasl.kerberos.keytab=/etc/security/keytabs/CLIENT_HOST.keytab  
-X sasl.kerberos.principal=CLIENT_NAME/CLIENT_HOST_FQDN'
    Example consumer job:
    AccessModuleInitStr = '-M C -T <<topic-name>> -B HOST@REALM:<<portno>> -P 0 -X security.protocol=SASL_PLAINTEXT  
-X sasl.kerberos.keytab=/etc/security/keytabs/CLIENT_HOST.keytab 
-X sasl.kerberos.principal=CLIENT_NAME/CLIENT_HOST_FQDN'

Example – Using AccessModuleKafka on Windows platforms to interact with a Kerberized Kafka cluster

  1. Add the Zookeeper server, Kafka server, and Kafka client machine to the kerberos domain.
  2. Create the AD users for the Zookeeper and Kafka servers (that is, "zookeeper" and "kafka").
  3. Add the SPNs for the Zookeeper and Kafka servers.
    SETSPN -S zookeeper/HOST@REALM DOMAIN\<<AD Zookeeper Username>>
SETSPN -S zookeeper/HOST_FQDN@REALM DOMAIN\<<AD Zookeeper Username>>

SETSPN -S kafka/HOST@REALM DOMAIN\<<AD Kafka Username>>
SETSPN -S kafka/HOST_FQDN@REALM DOMAIN\<<AD Kafka Username>>
  4. Generate the keytab files.
    ktpass -princ zookeeper/HOST@REALM -mapuser DOMAIN\<<AD Zookeeper Username>> -crypto RC4-HMAC-NT 
-ptype KRB5_NT_PRINCIPAL -pass ${PASSWORD} -out C:\keytabs\zookeeper.keytab
ktpass -princ zookeeper/HOST_FQDN@REALM -mapuser DOMAIN\<<AD Zookeeper Username>> -crypto RC4-HMAC-NT 
-ptype KRB5_NT_PRINCIPAL -pass ${PASSWORD} -in C:\keytabs\zookeeper.ktab -out C:\keytabs\zookeeper.keytab

ktpass -princ kafka/HOST@REALM -mapuser DOMAIN\<<AD Kafka Username>> -crypto RC4-HMAC-NT 
-ptype KRB5_NT_PRINCIPAL -pass ${PASSWORD} -out C:\keytabs\kafka.keytab
ktpass -princ kafka/HOST_FQDN@REALM -mapuser DOMAIN\<<AD Kafka Username>> -crypto RC4-HMAC-NT 
-ptype KRB5_NT_PRINCIPAL -pass ${PASSWORD} -in C:\keytabs\kafka.ktab -out C:\keytabs\kafka.keytab
  5. Do the following:
    1. Copy the keytab files to the corresponding machines.
    2. Update the Zookeeper keytab file location in the zookeeper_server_jaas.conf file.
    3. Update the kafkaserver keytab file location in the kafka_server_jaas.conf file.
    4. Start the Zookeeper and Kafka servers.
    .
  6. Include the following parameters in the initialization string:
    • -B HOST@REALM:<<portno>>
    • -X security.protocol=SASL_PLAINTEXT
    • -X sasl.kerberos.principle=kafka/HOST_FQDN@REALM
    • -X sasl.kerberos.service.name=kafka
    Example producer job:
    AccessModuleInitStr = '-M P -T <<topic-name>> -B HOST@REALM:<<portno>> -P 0 -X
security.protocol=SASL_PLAINTEXT
-X sasl.kerberos.service.name=kafka -X sasl.kerberos.principal=kafka/HOST_FQDN@REALM'
Example consumer job:
AccessModuleInitStr = '-M C -T <<topic-name>> -B HOST@REALM:<<portno>> -P 0 -X
security.protocol=SASL_PLAINTEXT
-X sasl.kerberos.service.name=kafka -X sasl.kerberos.principal=kafka/HOST_FQDN@REALM'