4

We want to add authentication to our kafka cluster by using SASL. As we see that we want to be able to frequently add users we are looking for at way to do this without having to perform a rolling restart.

What we have tried:

Using the Dynamic Broker Configuration interface, reconfiguring listener.name.sasl_plaintext.plain.sasl.jaas.config for all brokers.

The kafka brokers pick up on the change in zookeeper [2019-01-11 11:08:23,403] INFO Processing override for entityPath: brokers/1 with config: Map(listener.name.sasl_plaintext.plain.sasl.jaas.config -> encryptedPassword:XXX,keyLength:128,cipherAlgorithm:AES/CBC/PKCS5Padding,initializationVector:YYY,keyFactoryAlgorithm:PBKDF2WithHmacSHA512,salt:ZZZ,iterations:4096,passwordLength:270) (kafka.server.DynamicConfigManager)

However new users are not able to connect until the broker is restarted.

Is it possible to add new users to the SASL JAAS configuration without restarting the Kafka cluster?

DagW
  • 955
  • 1
  • 15
  • 28

1 Answers1

5

If you are using plain mechanism in sasl_plaintext, Based on this answer you're not able to add a new user in a running cluster.

instead, you can switch to SCRAM mechanism and after that, you'll be able to create a user in running cluster with a command like this:

$ > bin/kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-256=[iterations=8192,password=alice-secret],SCRAM-SHA-512=[password=alice-secret]' --entity-type users --entity-name alice

However, you still need to keep JAAS config file but, you just pass it once when starting the server.

Here is a useful link in Kafka document about using SCRAM mechanism.

Amin
  • 975
  • 8
  • 24