Skip to main content
Quick navigation

mTLS, when SASL_SSL is not enough

When passwords are not enough, you can rely on TLS client certificate But certificates do not host vcluster information, so let's map manually CN to vclusters.

View the full demo in realtime

You can either follow all the steps manually, or watch the recording

Review the docker compose environment

As can be seen from docker-compose.yaml the demo environment consists of the following services:

  • gateway1
  • gateway2
  • kafka-client
  • kafka1
  • kafka2
  • kafka3
  • schema-registry
  • zookeeper
cat docker-compose.yaml

Generate self-signed ssl certificates


rm -f *jks *key *p12 *crt

openssl req \
-x509 \
-newkey rsa:4096 \
-sha256 \
-days 3560 \
-nodes \
-keyout san.key \
-out san.crt \
-subj '/CN=rJeAuf6zx0WufHQTXhkM4g' \
-extensions san \
-config openssl.config

openssl pkcs12 \
-export \
-in san.crt \
-inkey san.key \
-name brokers \
-out san.p12 \
-password "pass:123456"

keytool \
-noprompt \
-alias brokers \
-importkeystore \
-deststorepass 123456 \
-destkeystore keystore.jks \
-srckeystore san.p12 \
-srcstoretype PKCS12 \
-srcstorepass 123456

keytool \
-noprompt \
-import \
-alias brokers \
-file san.crt \
-keypass 123456 \
-destkeystore truststore.jks \
-storepass 123456

echo """
bootstrap.servers=localhost:6969
security.protocol=SSL
ssl.truststore.location=$PWD/truststore.jks
ssl.truststore.password=123456
ssl.keystore.location=$PWD/keystore.jks
ssl.keystore.password=123456
""" > client.config

Starting the docker environment

Start all your docker processes, wait for them to be up and ready, then run in background

  • --wait: Wait for services to be running|healthy. Implies detached mode.
  • --detach: Detached mode: Run containers in the background
docker compose up --detach --wait

Adding user mapping for tom on passthrough

{
"username" : "tom",
"principal" : "CN=rJeAuf6zx0WufHQTXhkM4g"
}
curl \
--request POST 'http://localhost:8888/admin/userMappings/v1/vcluster/passthrough' \
--header 'Content-Type: application/json' \
--user 'admin:conduktor' \
--silent \
--data "@step-06-user-mapping.json" | jq

Adding interceptor guard-on-create-topic

Creating the interceptor named guard-on-create-topic of the plugin io.conduktor.gateway.interceptor.safeguard.CreateTopicPolicyPlugin for tom using the following payload

{
"pluginClass" : "io.conduktor.gateway.interceptor.safeguard.CreateTopicPolicyPlugin",
"priority" : 100,
"config" : {
"numPartition" : {
"min" : 1,
"max" : 3
}
}
}

Here's how to send it:

curl \
--request POST "http://localhost:8888/admin/interceptors/v1/vcluster/passthrough/username/tom/interceptor/guard-on-create-topic" \
--header 'Content-Type: application/json' \
--user 'admin:conduktor' \
--silent \
--data @step-07-guard-on-create-topic.json | jq

Creating topic foo on gateway1

Creating on gateway1:

  • Topic foo with partitions:10 and replication-factor:1
kafka-topics \
--bootstrap-server localhost:6969 \
--command-config client.config \
--replication-factor 1 \
--partitions 10 \
--create --if-not-exists \
--topic foo

[!IMPORTANT] We get the following exception

org.apache.kafka.common.errors.PolicyViolationException:
> Request parameters do not satisfy the configured policy.
>Topic 'foo' with number partitions is '10', must not be greater than 3

Creating topic foo on gateway1

Creating on gateway1:

  • Topic foo with partitions:2 and replication-factor:1
kafka-topics \
--bootstrap-server localhost:6969 \
--command-config client.config \
--replication-factor 1 \
--partitions 2 \
--create --if-not-exists \
--topic foo

Listing topics in gateway1

kafka-topics \
--bootstrap-server localhost:6969 \
--command-config client.config \
--list

Listing topics in kafka1

kafka-topics \
--bootstrap-server localhost:19092,localhost:19093,localhost:19094 \
--list

Tearing down the docker environment

Remove all your docker processes and associated volumes

  • --volumes: Remove named volumes declared in the "volumes" section of the Compose file and anonymous volumes attached to containers.
docker compose down --volumes