Skip to content

Instantly share code, notes, and snippets.

@asdaraujo

asdaraujo/kafka-python-sasl-gssapi.py

Last active July 18, 2024 07:35
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save asdaraujo/2c7d8c1119a45a4e7bbaa3e068655c84 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save asdaraujo/2c7d8c1119a45a4e7bbaa3e068655c84 to your computer and use it in GitHub Desktop.
Download ZIP
kafka-python example with Kerberos auth
Raw
kafka-python-sasl-gssapi.py
# Requirements: kafka-python gssapi krbticket
import os
import time
from kafka import KafkaConsumer, KafkaProducer
from krbticket import KrbConfig, KrbCommand
try:
os.environ['KRB5CCNAME'] = '/tmp/krb5cc_<myusername>'
kconfig = KrbConfig(principal='araujo', keytab='/path/to/<myusername>.keytab')
KrbCommand.kinit(kconfig)
# Kafka broker
BROKERS = ['host.cloudera.site:9093']
# Kafka topics
TOPIC = 'demo'
producer = KafkaProducer(
bootstrap_servers=BROKERS,
security_protocol='SASL_SSL',
ssl_cafile='/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_cacerts.pem',
sasl_mechanism='GSSAPI',
sasl_kerberos_service_name='kafka',
)
producer.send(TOPIC, ('Hello, World! %s' % (time.time(),)).encode())
producer.flush()
consumer = KafkaConsumer(
bootstrap_servers=BROKERS,
security_protocol='SASL_SSL',
ssl_cafile='/var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_cacerts.pem',
sasl_mechanism='GSSAPI',
sasl_kerberos_service_name='kafka',
auto_offset_reset='earliest',
)
consumer.subscribe([TOPIC])
for message in consumer:
print(message)
finally:
print("Destroying ticket")
KrbCommand.kdestroy(kconfig)
@manishr38
Copy link

manishr38 commented Feb 22, 2022
edited
Loading

Hi there, thanks a lot for the script, can you tell me what this line number 8 is meant for? Do i have to add the environment variable? sorry i am new to kafka. Is "KRB5CCNAME" fixed variable name? or it changes upon the server configuration?

@aiganymus
Copy link

aiganymus commented May 17, 2022
edited
Loading

Hi there, thanks a lot for the script, can you tell me what this line number 8 is meant for? Do i have to add the environment variable? sorry i am new to kafka. Is "KRB5CCNAME" fixed variable name? or it changes upon the server configuration?

@manishr38
what this line number 8 is meant for? - it is used to set kerberos default credential cache name
Do i have to add the environment variable? - you don't. you can check the default cache name using the command klist
Is "KRB5CCNAME" fixed variable name? - yes
or it changes upon the server configuration? - no

@asdaraujo
Copy link
Author

asdaraujo commented May 18, 2022

Thanks for answering this, @aiganymus !
Even though you don't need to set KRB5CCNAME, I'd highly recommend you to do so. If you have multiple scripts using the default cache, the actions of a script (kinit/kdestroy) can affect the other scripts. If you set one cache file for each script, using the KRB5CCNAME variable, then you're safe.

@vitorfmoreiradasilva
Copy link

vitorfmoreiradasilva commented Sep 26, 2022

Hello @asdaraujo,
I'm trying to implement this to be able to connect to Kafka from a Windows Server Application which is not supported by the KrbTicket.
Do you have any idea of what could be a possible solution?
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment