We are connecting to a Kafka server that uses kerberos authentication and from my understanding I know that When using Kerberos, we can provide the credentials to the client application in two ways. Either in the form of a valid Kerberos ticket, stored in a ticket cache, or as a keytab file, which the application can use to obtain a Kerberos ticket.
Here , I have keytab file . so , I have created a JASS config like below and have set that to kafkaConfig.
kerberosConfig = "com.ibm.security.auth.module.Krb5LoginModule required "
+ "useKeytab=\""
+ keytabPath
+ "\" credsType=both principal=\""
+ principal + "\";";
kafkaConfig.setProperty("sasl.jaas.config", kerberosConfig );
Now , the question here is I just used this JAAS config with keytab for kafka connection and it works fine without any issue but I found that we also need to pass krb5.confi to system properties as well for kerberos authentication like below
System.setProperty("java.security.krb5.conf", krb5.conf);
So , could someone please explain what is is the difference between keytab vs krb5.conf and whether keytab file alone is enough or should I need to pass krb5.conf to system props as well? or whether krb5.conf alone is enough ?
The first is specific config to only the Kafka client.
The second is a JVM wide property, which is carried through to any library you're using that needs Kerberos. Ideally, you pass this at java -D CLI argument, rather than via code System.setProperty