Return-Path: Kafka uses the Java Authentication and Authorization Service
+ (JAAS)
+ for SASL configuration. KafkaServer is the section name in the JAAS file used by each
KafkaServer/Broker. This section provides SASL configuration options
for the broker including any SASL client connections made by the broker
- for inter-broker communication.7.1 Security Overview
In release 0.9.0.0, the Kafka community added a number of features that, used either separately or together, increases security in a Kafka cluster. The following security measures are currently supported:
-
+
7.3 Authentication using SASL
-
SASL configuration for Kafka brokers
-
-
-Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf
listeners=SASL_PLAINTEXT://host.name:port
- If SASL_SSL is used, then SSL must also be
- configured. If you are only configuring a SASL port (or if you want
- the Kafka brokers to authenticate each other using SASL) then make sure
- you set the same SASL protocol for inter-broker communication:
- security.inter.broker.protocol=SASL_PLAINTEXT (or SASL_SSL)
sasl.enabled.mechanisms=GSSAPI (,PLAIN)
sasl.mechanism.inter.broker.protocol=GSSAPI (or PLAIN)
JAAS configuration
+
-
JAAS configuration for Kafka brokers
+
+
Client section is used to authenticate a SASL connection with zookeeper. It also allows the brokers to set SASL ACL on zookeeper nodes which locks these nodes down so that only the brokers can modify it. It is necessary to have the same principal name across all brokers. If you want to use a section name other than Client, set the system property zookeeper.sasl.client to the appropriate - name (e.g., -Dzookeeper.sasl.client=ZkClient). -
ZooKeeper uses "zookeeper" as the service name by default. If you want to change this, set the system property zookeeper.sasl.client.username to the appropriate name - (e.g., -Dzookeeper.sasl.client.username=zk).
sasl.jaas.config
.
- To configure SASL authentication on the clients:
- security.protocol=SASL_PLAINTEXT (or SASL_SSL) - sasl.mechanism=GSSAPI (or PLAIN)
Clients may specify JAAS configuration as a producer or consumer property without
- creating a physical configuration file. This mode also enables different producers
- and consumers within the same JVM to use different credentials by specifying
- different properties for each client. If both static JAAS configuration system property
- java.security.auth.login.config
and client property sasl.jaas.config
- are specified, the client property will be used.
sasl.jaas.config
in producer.properties or
- consumer.properties to be the JAAS login module section of the selected mechanism.
- For example, PLAIN
- credentials may be configured as:
- sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="alice" password="alice-secret";
Clients may configure JAAS using the client configuration property + sasl.jaas.config + or using the static JAAS config file + similar to brokers.
+- KafkaClient { +
Clients may specify JAAS configuration as a producer or consumer property without
+ creating a physical configuration file. This mode also enables different producers
+ and consumers within the same JVM to use different credentials by specifying
+ different properties for each client. If both static JAAS configuration system property
+ java.security.auth.login.config
and client property sasl.jaas.config
+ are specified, the client property will be used.
See GSSAPI (Kerberos), + PLAIN or + SCRAM for example configurations.
+ KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_client.keytab" principal="kafka-client-1@EXAMPLE.COM"; };- See GSSAPI (Kerberos) or PLAIN - for example configurations of each mechanism.
-Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf
-Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf
SASL may be used with PLAINTEXT or SSL as the transport layer using the + security protocol SASL_PLAINTEXT or SASL_SSL respectively. If SASL_SSL is + used, then SSL must also be configured.
+ +listeners=SASL_PLAINTEXT://host.name:port+ If you are only configuring a SASL port (or if you want + the Kafka brokers to authenticate each other using SASL) then make sure + you set the same SASL protocol for inter-broker communication: +
security.inter.broker.protocol=SASL_PLAINTEXT (or SASL_SSL)
SASL authentication is only supported for the new Java Kafka producer and + consumer, the older API is not supported.
+ +To configure SASL authentication on the clients, select a SASL + mechanism that is enabled in + the broker for client authentication and follow the steps to configure SASL + for the selected mechanism.
Salted Challenge Response Authentication Mechanism (SCRAM) is a family of SASL mechanisms that
+ addresses the security concerns with traditional mechanisms that perform username/password authentication
+ like PLAIN and DIGEST-MD5. The mechanism is defined in RFC 5802.
+ Kafka supports SCRAM-SHA-256 and SCRAM-SHA-512 which
+ can be used with TLS to perform secure authentication. The username is used as the authenticated
+ Principal
for configuration of ACLs etc. The default SCRAM implementation in Kafka
+ stores SCRAM credentials in Zookeeper and is suitable for use in Kafka installations where Zookeeper
+ is on a private network. Refer to Security Considerations
+ for more details.
The SCRAM implementation in Kafka uses Zookeeper as credential store. Credentials can be created in + Zookeeper using kafka-configs.sh. For each SCRAM mechanism enabled, credentials must be created + by adding a config with the mechanism name. Credentials for inter-broker communication must be created + before Kafka brokers are started. Client credentials may be created and updated dynamically and updated + credentials will be used to authenticate new connections.
+Create SCRAM credentials for user alice with password alice-secret: +
+ bin/kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-256=[iterations=8192,password=alice-secret],SCRAM-SHA-512=[password=alice-secret]' --entity-type users --entity-name alice ++
The default iteration count of 4096 is used if iterations are not specified. A random salt is created + and the SCRAM identity consisting of salt, iterations, StoredKey and ServerKey are stored in Zookeeper. + See RFC 5802 for details on SCRAM identity and the individual fields. +
The following examples also require a user admin for inter-broker communication which can be created using: +
+ bin/kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-256=[password=admin-secret],SCRAM-SHA-512=[password=admin-secret]' --entity-type users --entity-name admin ++
Existing credentials may be listed using the --describe option: +
+ bin/kafka-configs.sh --zookeeper localhost:2181 --describe --entity-type users --entity-name alice ++
Credentials may be deleted for one or more SCRAM mechanisms using the --delete option: +
+ bin/kafka-configs.sh --zookeeper localhost:2181 --alter --delete-config 'SCRAM-SHA-512' --entity-type users --entity-name alice ++
+ KafkaServer { + org.apache.kafka.common.security.scram.ScramLoginModule required + username="admin" + password="admin-secret" + };+ The properties username and password in the KafkaServer section are used by + the broker to initiate connections to other brokers. In this example, admin is the user for + inter-broker communication.
-Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf
+ listeners=SASL_SSL://host.name:port + security.inter.broker.protocol=SASL_SSL + sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256 (or SCRAM-SHA-512) + sasl.enabled.mechanisms=SCRAM-SHA-256 (or SCRAM-SHA-512)
+ sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \ + username="alice" \ + password="alice-secret";+ +
The options username and password are used by clients to configure
+ the user for client connections. In this example, clients connect to the broker as user alice.
+ Different clients within a JVM may connect as different users by specifying different user names
+ and passwords in sasl.jaas.config
.
JAAS configuration for clients may alternatively be specified as a JVM parameter similar to brokers + as described here. Clients use the login section named + KafkaClient. This option allows only one user for all client connections from a JVM.
+ security.protocol=SASL_SSL + sasl.mechanism=SCRAM-SHA-256 (or SCRAM-SHA-512)
sasl.enabled.mechanisms=GSSAPI,PLAIN
sasl.enabled.mechanisms=GSSAPI,PLAIN,SCRAM-SHA-256,SCRAM-SHA-512
security.inter.broker.protocol=SASL_PLAINTEXT (or SASL_SSL) - sasl.mechanism.inter.broker.protocol=GSSAPI (or PLAIN)
+ security.inter.broker.protocol=SASL_PLAINTEXT (or SASL_SSL) + sasl.mechanism.inter.broker.protocol=GSSAPI (or one of the other enabled mechanisms)