-1

How to enable SASL mechanism with JAAS Authentication for kafka ? thus the consumer/producer have to provide username & password in order to be able to publish in the broker enter image description here

Smaillns
  • 2,540
  • 1
  • 28
  • 40

1 Answers1

1

The process of enabling SASL authentication in Kafka is extensively described in the Authentication using SASL section in the documentation. I suggest you follow the official documentation as it contains instructions for all the mechanisms and recommendations for production environments.

To give a bit of background, at a glance you need to:

  1. Create a JAAS file for brokers with a KafkaServer block and the configuration for the specific mechanism.

  2. Add -Djava.security.auth.login.config=<PATH_TO_JAAS_FILE> to your broker JVM command line argument.

  3. Configure client to use SASL via the security.protocol, sasl.mechanism and sasl.jaas.config settings.

Mickael Maison
  • 25,067
  • 7
  • 71
  • 68
  • Thanks for the answer @Mickael. I'm struggeling to configure the clients, may you give a bit example about your 3rd point please – Smaillns Mar 15 '22 at 14:55
  • 1
    For example for PLAIN, your client needs: ``` sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ username="" \ password=""; security.protocol=SASL_SSL sasl.mechanism=PLAIN ``` See https://kafka.apache.org/documentation/#security_sasl_plain_clientconfig – Mickael Maison Mar 15 '22 at 15:58
  • I was able to connect the producer by adding all the config (above) in the `producer.properties`, so we don't need to have an extra config-file. Thanks Mickael – Smaillns Mar 15 '22 at 16:12
  • !important: when launching the producer we have to specify the config by adding `--producer.config config/producer.properties` – Smaillns Mar 15 '22 at 16:27
  • how to add the parameter of step2 to JVM ? – Smaillns Mar 16 '22 at 07:51
  • 1
    If you use the Kafka scripts, like kafka-console-producer, you can just set and export KAFKA_OPTS. For example, export KAFKA_OPTS="-Djava.security.auth.login.config=". – Mickael Maison Mar 16 '22 at 08:55
  • https://stackoverflow.com/q/71496266/7691891 – Smaillns Mar 16 '22 at 11:26