From 9eab8c9020ef5d07bc33d83d4cb6a2bcad74ab6b Mon Sep 17 00:00:00 2001 From: Christian Lefebvre Date: Tue, 14 Nov 2023 17:14:15 +0100 Subject: [PATCH] create scram users thru kraft Fixes #1495 Was #1505 --- roles/kafka_broker/tasks/main.yml | 52 ++++++++++++++++++++++++------- 1 file changed, 40 insertions(+), 12 deletions(-) diff --git a/roles/kafka_broker/tasks/main.yml b/roles/kafka_broker/tasks/main.yml index 4dcc36543..c385b397c 100644 --- a/roles/kafka_broker/tasks/main.yml +++ b/roles/kafka_broker/tasks/main.yml @@ -412,8 +412,7 @@ changed_when: "'Created ' + zookeeper_chroot in create_chroot.stderr" when: zookeeper_chroot|length > 0 -# Only supported when zookeeper is enabled -- name: Create SCRAM Users +- name: Create SCRAM Users with Zookeeper shell: | {% if kafka_broker_final_properties['zookeeper.set.acl']|default('false')|lower == 'true' %}KAFKA_OPTS='-Djava.security.auth.login.config={{kafka_broker.jaas_file}}'{% endif %} \ {{ binary_base_path }}/bin/kafka-configs {% if zookeeper_ssl_enabled|bool %}--zk-tls-config-file {{ kafka_broker.zookeeper_tls_client_config_file if kafka_broker_secrets_protection_enabled else kafka_broker.config_file }}{% endif %} \ @@ -424,10 +423,10 @@ run_once: true when: - "'SCRAM-SHA-512' in kafka_broker_sasl_enabled_mechanisms" - no_log: "{{mask_secrets|bool}}" + - not kraft_enabled|bool + no_log: "{{ mask_secrets|bool }}" -# Only supported when zookeeper is enabled -- name: Create SCRAM 256 Users +- name: Create SCRAM 256 Users with Zookeeper shell: | {% if kafka_broker_final_properties['zookeeper.set.acl']|default('false')|lower == 'true' %}KAFKA_OPTS='-Djava.security.auth.login.config={{kafka_broker.jaas_file}}'{% endif %} \ {{ binary_base_path }}/bin/kafka-configs {% if zookeeper_ssl_enabled|bool %}--zk-tls-config-file {{ kafka_broker.zookeeper_tls_client_config_file if kafka_broker_secrets_protection_enabled else kafka_broker.config_file }}{% endif %} \ @@ -438,24 +437,25 @@ run_once: true when: - "'SCRAM-SHA-256' in kafka_broker_sasl_enabled_mechanisms" + - not kraft_enabled|bool no_log: "{{ mask_sensitive_logs|bool }}" - name: Deploy JMX Exporter Config File template: - src: "{{kafka_broker_jmxexporter_config_source_path}}" - dest: "{{kafka_broker_jmxexporter_config_path}}" + src: "{{ kafka_broker_jmxexporter_config_source_path }}" + dest: "{{ kafka_broker_jmxexporter_config_path }}" mode: '640' - owner: "{{kafka_broker_user}}" - group: "{{kafka_broker_group}}" + owner: "{{ kafka_broker_user }}" + group: "{{ kafka_broker_group }}" when: kafka_broker_jmxexporter_enabled|bool tags: - configuration - name: Create Service Override Directory file: - path: "{{kafka_broker.systemd_override | dirname }}" - owner: "{{kafka_broker_user}}" - group: "{{kafka_broker_group}}" + path: "{{ kafka_broker.systemd_override | dirname }}" + owner: "{{ kafka_broker_user }}" + group: "{{ kafka_broker_group }}" state: directory mode: '640' tags: @@ -546,6 +546,34 @@ - not ansible_check_mode tags: health_check +- name: Create SCRAM Users with KRaft + shell: | + {{ binary_base_path }}/bin/kafka-configs \ + --bootstrap-server localhost:{{ kafka_broker_listeners['broker']['port'] }} \ + --command-config {{ kafka_broker.client_config_file }} \ + --alter --add-config 'SCRAM-SHA-512=[password={{ item.value['password'] }}]' \ + --entity-type users --entity-name {{ item.value['principal'] }} + loop: "{{ sasl_scram_users_final|dict2items }}" + run_once: true + when: + - "'SCRAM-SHA-512' in kafka_broker_sasl_enabled_mechanisms" + - kraft_enabled|bool + no_log: "{{ mask_secrets|bool }}" + +- name: Create SCRAM 256 Users with KRaft + shell: | + {{ binary_base_path }}/bin/kafka-configs \ + --bootstrap-server localhost:{{ kafka_broker_listeners['broker']['port'] }} \ + --command-config {{ kafka_broker.client_config_file }} \ + --alter --add-config 'SCRAM-SHA-256=[password={{ item.value['password'] }}]' \ + --entity-type users --entity-name {{ item.value['principal'] }} + loop: "{{ sasl_scram256_users_final|dict2items }}" + run_once: true + when: + - "'SCRAM-SHA-256' in kafka_broker_sasl_enabled_mechanisms" + - kraft_enabled|bool + no_log: "{{ mask_sensitive_logs|bool }}" + - name: Register Cluster include_tasks: register_cluster.yml when: kafka_broker_cluster_name|length > 0 and rbac_enabled|bool