2

What I want to do is enable SASL Authentication only for client to broker communication and not for

  • Broker to Broker
  • Broker to Zookeeper

Is it possible to do so? If yes how can I achieve it.

I have followed various links and offical kafka doc as well but no luck in getting clear Idea on it.

Any help would be appreciated!

Tushar H
  • 755
  • 11
  • 29

1 Answers1

1

Yes this is possible.

It requires a few steps and I'm afraid I doubt I can be clearer than the official Kafka docs about configuring SASL. I'd recommend having a another look at it and if there's a section you're unsure ask explicitly about it.

Anyway I'll give you some pointers for SASL PLAIN (probably the easiest to setup)

  • On the broker side, following these docs:

    • Create a JAAS file with a KafkaServer section:

      KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    username="admin"
    password="admin-secret"
    user_admin="admin-secret"
    user_alice="alice-secret";
};

    • Set the JVM property java.security.auth.login.config so the JAAS file is picked up

    • Update server.properties to include SASL settings. For example:

      security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN

      I recommend to start without SSL but keep in mind that if you end up using SASL PLAIN, you must enable SSL otherwise all traffic including authentication will be in clear text!

  • On the client side, following these docs:

    • Update your client properties to include:

      sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
  username="alice" password="alice-secret";
security.protocol=SASL_SSL
sasl.mechanism=PLAIN

Obviously in production, you should not rely on hardcoded users in the broker's JAAS file. The Kafka docs explains how to instead provide an implementation provide userids properly.

Mickael Maison
  • 25,067
  • 7
  • 71
  • 68
  • Thanks for your pointers, I did followed this steps from doc, the only thing I havent specified in question is - I have two listeners -: SASL_PlAINTEXT://localhost:9092,PLAINTEXT://localhost:9093, and what I want is SASL_PLAINTEXT should be used for clients-broker only and others should not use SASL, I did specified - inter.broker.listener.name=PLAINTEXT in server.properties, but it still throws me an error as - KafkaSever config in not found in jaas file – Tushar H Jan 30 '19 at 09:39
  • It looks like you did not properly specified `java.security.auth.login.config`. Can you make sure this is correctly set up and pointing to the JAAS file? – Mickael Maison Jan 30 '19 at 09:45
  • Yeah I did checked it again and its pointing to correct file. – Tushar H Jan 30 '19 at 10:40
  • I believe this answer is wrong, since even your `KafkaServer` config is for setting up inter-broker `SASL` comms (also notice the admin user, that is just for inter-broker SASL), the OP *does not* want to use SASL for inter-broker, only for client-broker – xref Jul 19 '19 at 07:07