- Newest
- Most votes
- Most comments
Hi there, when multi authentication is enabled on MSK cluster authorization depends on which of those access control methods a client is using to access MSK cluster.
Let's take the above example where both IAM and SASL/SCRAM is enabled and say 'client A' is accessing MSK cluster via IAM auth and 'client B' is accessing cluster via SASL/SCRAM. You can still invoke Apache Kafka ACL APIs and add ACLs for an MSK cluster that uses IAM access control but ACLs stored in Apache ZooKeeper have no effect on authorization for IAM roles. So access/authorization for 'client A' which uses IAM auth will be controlled by the IAM policy as ACLs have no effect in the case of 'client A' even though those are added.
But when a client is using non-IAM auth, these added ACLs (and allow.everyone.if.no.acl.found) will have effect i.e authorization in that case will be controlled by ACLs. So when 'client B' which uses SASL/SCRAM tries to perform any operations it validates against the ACLs that were added.
In short, to fill in the gaps in above table you mentioned -
| Authn & Authz mech | Kafka client authn | Kafka client authz | Kafka ACL behaviour | Property allow.everyone.if.no.acl.found | | --- | --- | --- | --- | --- | --- | | SASL/IAM clients | SASL/IAM | IAM | No effect | No effect | | SASL/SCRAM clients | SASL/SCRAM | ACLs | Applies/Does have an effect | Applies/Does have an effect |
For the followup question "What I am not clear about is Zookeeper authn and authz. Is that always TLS or is it possible to have SCRAM or IAM for Zookeeper?"
Currently zookeeper uses TLS only for encryption but not for authentication. Zookeeper doesn't support any access control methods at the moment. The best security practice is to place zookeeper nodes in a separate security group (1) and block/control access using inbound rules so that users can perform any kafka data plane actions like reading, writing, creating topics, listing topics etc using only brokers/bootstrap server. That way users/clients must be authenticated and authorized to perform those actions.
(1) https://docs.aws.amazon.com/msk/latest/developerguide/zookeeper-security.html
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked a month ago
- asked 2 years ago
- AWS OFFICIALUpdated 6 months ago
- How do I troubleshoot common issues when using my Amazon MSK cluster with SASL/SCRAM authentication?AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Thanks for the answer. I figured this out the the hard way by creating clusters and clients and testing them. The documentation should clarify what happens when multiple mechanisms are used. Until a couple of months back it allowed only one and recently it has started allowing multiple mechanisms simultaneously on the same cluster.
What I am not clear about is Zookeeper authn and authz. Is that always TLS or is it possible to have SCRAM or IAM for Zookeeper?