Teradata Access Module for Kafka can be used to export data from, and to import data to, a Kerberized Kafka cluster.
Example – Using AccessModuleKafka on Unix platforms to interact with a Kerberized Kafka cluster
- Add the Zookeeper server, Kafka server, and Kafka client machine to the Kerberos domain.
- Add ZOOKEEPER_HOST, KAFKA_HOST, CLIENT_HOST, both as host and AD users.
Add root or any common user in the above machines as an AD user.
- Add the SPN's for the Zookeeper server, the Kafka server, and Kafka client.
setspn -S zookeeper/${ZOOKEEPER_HOST_FQDN}@${REALM} ${ZOOKEEPER_HOST} setspn -S kafka/${KAFKA_HOST_FQDN}@${REALM} ${KAFKA_HOST} setspn -S ${CLIENT_NAME}/${CLIENT_HOST_FQDN}@${REALM} ${CLIENT_HOST}
- Generate the keytab files.
ktpass -princ zookeeper/${ZOOKEEPER_HOST_FQDN}@${REALM} -mapuser ${ZOOKEEPER_HOST} -pass ${PASSWORD} -mapOp set -ptype KRB5_NT_PRINCIPAL -out zookeeper.keytab ktpass -princ kafka/${KAFKA_HOST_FQDN}@${REALM} -mapuser ${KAFKA_HOST} -pass ${PASSWORD} -mapOp set -ptype KRB5_NT_PRINCIPAL -out kafkaserver.keytab ktpass -princ ${CLIENT_NAME}/${CLIENT_HOST_FQDN}@${REALM} -mapuser ${CLIENT_HOST} -pass ${PASSWORD} -mapOp set -ptype KRB5_NT_PRINCIPAL -out ${CLIENT_HOST}.keytab
Where:- REALM – Kerberos realm
- CLIENT_NAME – Client name. For example, "kafkaclient"
- ZOOKEEPER_HOST – Name of the machine where the Zookeeper server runs
- KAFKA_HOST – Name of the machine where the Kafka server runs
- CLIENT_HOST – Client hostname; where the client application runs
- ZOOKEEPER_HOST_FQDN – Fully qualified domain name of the Zookeeper server
- KAFKA_HOST_FQDN – Fully qualified domain name of the Kafka server
- CLIENT_HOST_FQDN – Fully qualified domain name of the client
- Do the following:
- Copy the keytab files to the corresponding machines at /etc/security/keytabs.
- Update the zookeeper keytab file location in the zookeeper_server_jaas.conf file
- Update the kafkaserver keytab file location in the kafka_server_jaas.conf file.
- Start the Zookeeper and Kafka servers.
- Include the following parameters in the initialization string:
- -B HOST@REALM:<<portno>>
- -X security.protocol=SASL_PLAINTEXT
- -X sasl.kerberos.keytab=/etc/security/keytabs/${CLIENT_HOST}.keytab
- -X sasl.kerberos.principal=${CLIENT_NAME}/${CLIENT_HOST_FQDN}
Example producer job:AccessModuleInitStr = '-M P -T <<topic-name>> -B HOST@REALM:<<portno>> -P 0 -X security.protocol=SASL_PLAINTEXT -X sasl.kerberos.keytab=/etc/security/keytabs/CLIENT_HOST.keytab -X sasl.kerberos.principal=CLIENT_NAME/CLIENT_HOST_FQDN'
Example consumer job:AccessModuleInitStr = '-M C -T <<topic-name>> -B HOST@REALM:<<portno>> -P 0 -X security.protocol=SASL_PLAINTEXT -X sasl.kerberos.keytab=/etc/security/keytabs/CLIENT_HOST.keytab -X sasl.kerberos.principal=CLIENT_NAME/CLIENT_HOST_FQDN'
Example – Using AccessModuleKafka on Windows platforms to interact with a Kerberized Kafka cluster
- Add the Zookeeper server, Kafka server, and Kafka client machine to the kerberos domain.
- Create the AD users for the Zookeeper and Kafka servers (that is, "zookeeper" and "kafka").
- Add the SPNs for the Zookeeper and Kafka servers.
SETSPN -S zookeeper/HOST@REALM DOMAIN\<<AD Zookeeper Username>> SETSPN -S zookeeper/HOST_FQDN@REALM DOMAIN\<<AD Zookeeper Username>> SETSPN -S kafka/HOST@REALM DOMAIN\<<AD Kafka Username>> SETSPN -S kafka/HOST_FQDN@REALM DOMAIN\<<AD Kafka Username>>
- Generate the keytab files.
ktpass -princ zookeeper/HOST@REALM -mapuser DOMAIN\<<AD Zookeeper Username>> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass ${PASSWORD} -out C:\keytabs\zookeeper.keytab ktpass -princ zookeeper/HOST_FQDN@REALM -mapuser DOMAIN\<<AD Zookeeper Username>> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass ${PASSWORD} -in C:\keytabs\zookeeper.ktab -out C:\keytabs\zookeeper.keytab ktpass -princ kafka/HOST@REALM -mapuser DOMAIN\<<AD Kafka Username>> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass ${PASSWORD} -out C:\keytabs\kafka.keytab ktpass -princ kafka/HOST_FQDN@REALM -mapuser DOMAIN\<<AD Kafka Username>> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass ${PASSWORD} -in C:\keytabs\kafka.ktab -out C:\keytabs\kafka.keytab
- Do the following:
- Copy the keytab files to the corresponding machines.
- Update the Zookeeper keytab file location in the zookeeper_server_jaas.conf file.
- Update the kafkaserver keytab file location in the kafka_server_jaas.conf file.
- Start the Zookeeper and Kafka servers.
- Include the following parameters in the initialization string:
- -B HOST@REALM:<<portno>>
- -X security.protocol=SASL_PLAINTEXT
- -X sasl.kerberos.principle=kafka/HOST_FQDN@REALM
- -X sasl.kerberos.service.name=kafka
Example producer job:AccessModuleInitStr = '-M P -T <<topic-name>> -B HOST@REALM:<<portno>> -P 0 -X security.protocol=SASL_PLAINTEXT -X sasl.kerberos.service.name=kafka -X sasl.kerberos.principal=kafka/HOST_FQDN@REALM' Example consumer job: AccessModuleInitStr = '-M C -T <<topic-name>> -B HOST@REALM:<<portno>> -P 0 -X security.protocol=SASL_PLAINTEXT -X sasl.kerberos.service.name=kafka -X sasl.kerberos.principal=kafka/HOST_FQDN@REALM'