0

We want to add authentication to our kafka cluster by using SASL_SSL. As we see that we want to be able to frequently add users we are looking for at way to do this without having to perform a rolling restart. server.properties


listeners=PLAINTEXT://localhost:9092,SASL_SSL://localhost:9093
advertised.listeners=PLAINTEXT://localhost:9092,SASL_SSL://localhost:9093
listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SASL_SSL:SASL_SSL
#SASL_SSL:Listener with TLS-based encryption and SASL-based authentication.
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
sasl.enabled.mechanisms=SCRAM-SHA-256
inter.broker.listener.name=PLAINTEXT
ssl.endpoint.identification.algorithm=
ssl.client.auth=required

ssl.enabled.protocols =  TLSv1.2,TLSv1.1,TLSv1
sasl.mechanism.controller.protocol=SCRAM-SHA-256

ssl.keystore.location=certs\\server.keystore.jks
ssl.keystore.password=******
ssl.truststore.location=certs\\server.truststore.jks
ssl.truststore.password==******
ssl.key.password==******

super.users=User:admin
zookeeper.set.acl=true
allow.everyone.if.no.acl.found=true

zookeeper.properties

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
authProvider.2=org.apache.zookeeper.server.auth.DigestAuthenticationProvider
requireClientAuthScheme=sasl
sasl.client=true
sasl.clientconfig=Client

producer.properties & consumer.properties


security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-256
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="alice" password="alice-secret";
ssl.keystore.location=certs\\client.keystore.jks
ssl.keystore.password==******
ssl.key.password==******
ssl.truststore.location=certs\\client.truststore.jks
ssl.truststore.password==******

zookeeper and kafka start.....

then add user with below command throw Exception:

sh kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-256=[password='testUSer-secret']' --entity-type users --entity-name testUSer

exception:

org.apache.zookeeper.keeperException$NoAuthException:KeeperErrorCode = NoAuth for config/users/testUser

Is it possible to add new users to the SASL JAAS configuration without restarting the Kafka cluster?

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
kimiya
  • 1
  • 1
  • Why do you think a restart is necessary? I think you want to use `--bootstrap-server` and `--command-config` for authenticating **that command**... Otherwise, you seem to be missing `--zk-tls-config-file` argument – OneCricketeer Jan 10 '23 at 19:00

0 Answers0