Search code examples
apache-kafkakafka-topicstrimzi

Want some practical example how to use kafkaUser

I am using Kafka with strimzi operator. I don't know how to use KafkaUser can anyone please suggest to me where I should learn it's practical implementation. I just created a Kafka user and KafkaTopic now I am totally blank about what to do. This is my KafkaUSer yml code :

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
  name: my-user
  labels:
    strimzi.io/cluster: my-cluster
spec:
  authentication:
    type: tls
  authorization:
    type: simple
    acls:
      # Example consumer Acls for topic my-topic using consumer group my-group
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operation: Read
        host: "*"
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operation: Describe
        host: "*"
      - resource:
          type: group
          name: my-group
          patternType: literal
        operation: Read
        host: "*"
      # Example Producer Acls for topic my-topic
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operation: Write
        host: "*"
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operation: Create
        host: "*"
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operation: Describe
        host: "*"

and this is my KafkaTopic yml file code :

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaTopic
metadata:
  name: my-topic
  labels:
    strimzi.io/cluster: my-cluster
spec:
  partitions: 1
  replicas: 1
  config:
    retention.ms: 7200000
    segment.bytes: 1073741824
Solution

  • If you enabled the tls authentication on the user I would expect that in your Kafka custom resource you have authentication enabled as well. When the KafkaUser is created with this authentication type, a corresponding Secret is generated with user private key and certificate for the mutual TLS authentication with the broker. You have to extract key and certificate from the Secret and configure your keystore in your client application (it depends on the language you are using. If it's Java you can just extract the keystore directly from the Secret in P12 format with corresponding password). If it's Java you can refer on official Kafka doc for setting up keystore and truststore when extracted from the Secrets: https://kafka.apache.org/documentation/#security_configclients

    Having mutual TLS enabled authentication, it means that you also have to connect via TLS to the brokers (you have enabled it in the Kafka resource) so you have to extract from the cluster CA Secret, the certificate and import it into your truststore. That point the client will be able to connect, to be authenticated and the ACLs you described will be applied.

    More info are on the official documentation:

    About user authentication https://strimzi.io/docs/operators/master/using.html#con-securing-client-authentication-str

    About clients running on Kubernetes connecting to the cluster https://strimzi.io/docs/operators/master/using.html#configuring-internal-clients-to-trust-cluster-ca-str

    About clients running outside Kubernetes connecting to the cluster https://strimzi.io/docs/operators/master/using.html#configuring-external-clients-to-trust-cluster-ca-str