Kafka Ignoring SASL credentials if client certificate is present

Question

I am trying to find out if it is to utilize the client certificate (mTLS) between Kafka clients and brokers as well as using SASL. My goal is to ignore SASL credentials when client certificate is present and in other cases use SASL if client certificate is not present. I can see that https://cwiki.apache.org/confluence/display/KAFKA/KIP-684+-+Support+mutual+TLS+authentication+on+SASL_SSL+listeners allows for combinations of the two, but as I understand it, it mentions that SASL is always used even if client certificate is present.

Thank you.

score 0 · Accepted Answer · answered Apr 20 '22 at 15:56

First, KIP-684 is only implemented since 2.8.0, and AFAIK SASL user takes precedence over mTLS. And you can not make SASL authentication optional once you have enabled it on a listener.

As a result, I would advise you to have 2 listeners, on 2 different TCP ports. Let's say:

Port 9092 for SASL_SSL, SASL with simple TLS -> for applications authenticating with SASL
Port 9093 for mTLS, 2-way TLS without SASL -> for applications authenticating with client TLS cert.

Kafka Ignoring SASL credentials if client certificate is present

1 Answers1