Kerberos support about cp-ansible HOT 4 CLOSED

@rudolfvavra this is out of scope for this playbook because we do not set up a KDC and so this would not be verifiable within the scope of the playbook. Please note that these playbooks are intended as a guideline and not to cover all cases. However, you can easily extend the SASL_SSL example to use the GSSAPI sasl.mechanism and provide a JAAS configuration that is suitable for kerberos. If you have your own keytabs and can access the KDC from all machines then you can use configuration overrides to accomplish your goal.

from cp-ansible.

Thank you very much, please are there any deployment scripts with kerberos or ldap?

Maybe for your testing lab I can imagine that default KDC configuration should be verifiable within the scope of the playbook - Or how did you create any documentation about GSSAPI (https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_gssapi.html ) on the first place? In the lab there must be some GSSAPI lab configuration deployment for the cluster across multiple nodes. Or how testing of GSSAPI configuration or this role is done? This ansible role can be refactor, more variables for principal, all jaas parameters ( keytab, debug, useTicketCache, useKeyTab) ... - could be listed in defaults/main.yml. In this way we can build the playbook for different KDC settings. Also SSL path to keystore and truststore is defined on multiple places and it's hardcoded - this should be also rewritten. In ideal case i could just change my hosts.cfg, my credentials and some paths in my playbook ...

from cp-ansible.

@rudolfvavra as I mentioned, setting up a KDC is out of scope for these as a KDC is not part of Confluent Platform. However, I could see adding templates for the GSSAPI mechanism, so if you would like to contribute to that work I would be happy to review it.

from cp-ansible.

Closing this issue out as it appears to have been answered.

from cp-ansible.