Starting from Kafka 0.10.x Kafka Broker supports username/password authentication. This Mechanism is called SASL/PLAIN. The steps below describe how to set up this mechanism on an IOP 4.2.5 Kafka Cluster.

1. Configure the Kafka brokers and Kafka Clients

Add a JAAS configuration file for each Kafka broker. Create a kafka_plain_jaas.conf file as specified below:

KafkaServer {  
org.apache.kafka.common.security.plain.PlainLoginModule required
   username="kafka"
   password="kafka-secret"
   user_kafka="kafka-secret"
   user_ibm="ibm-secret";
};
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
  username="ibm"
  password="ibm-secret";
};

Let’s understand the content of kafka_plain_jaas.conf file and how Kafka Brokers and Kafka Clients use it.

KafkaServer Section:
The KafkaServer section defines two users: kafka and ibm. The properties username and password are used by the broker to initiate connections to other brokers. In this example, kafka is the user for inter-broker communication. The set of properties user_{userName} defines the passwords for all users that connect to the broker and the broker validates all client connections including those from other brokers using these properties.

KafkaClient Section:
The Kafka Client section describes how the clients, Producer and Consumer, can connect to Kafka Broker. The properties username and password in the Kafka Client section are used by clients to configure the user for client connections. In this example, clients connect to the broker as user “ibm”.

2. Pass the JAAS configuration location as a JVM Parameter to the Kafka broker


Update the Advanced kafka-env section to add the properties below:
export KAFKA_PLAIN_PARAMS="-Djava.security.auth.login.config=/usr/iop/4.2.5.0-0000/kafka/conf/kafka_plain_jaas.conf"
export KAFKA_OPTS="$KAFKA_PLAIN_PARAMS $KAFKA_OPTS"
  		

3. Add the properties below to the custom Kafka broker configuration.

Kafka Broker Configuration

4. Update the listeners property in the Kafka Broker section to SASL_PLAINTEXT://localhost:6667

Kafka Broker Configuration

5. Restart Kafka.

Run the Kafka Client Console Producer / Console Consumer to authenticate to the Kafka broker with the specified username and password. In this example, the username used to connect to brokers is “ibm”. The JVM parameter java.security.auth.login.config for console producer and console consumer is set by the Step 2 above.
All the commands shown below are run from the path /usr/iop/4.2.5.0-0000/kafka

Create a topic:

[root@heel1 kafka]# bin/kafka-topics.sh --create --topic plain-topic --zookeeper heel1.fyre.ibm.com:2181 --partitions 1 --replication-factor 1
[2017-04-10 12:06:22,239] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/usr/iop/4.2.5.0-0000/kafka/conf/kafka_plain_jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
Created topic "plain-topic".

Run Kafka console producer

Before running the Kafka console Producer configure the producer.properties file as shown:

[root@heel1 kafka]# cat producer.properties 
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
[root@heel1 kafka]# bin/kafka-console-producer.sh --broker-list heel1.fyre.ibm.com:6667 --topic plain-topic --producer.config producer.properties 
Message 1
Message 2
Message 3
^C

Run Kafka console consumer

Before running Kafka console consumer configure the consumer.properties file as shown:

[root@heel1 kafka]# cat consumer.properties 
security.protocol=SASL_PLAINTEXT
sasl.mechanism=PLAIN
[root@heel1 kafka]# bin/kafka-console-consumer.sh --bootstrap-server heel1.fyre.ibm.com:6667 --topic plain-topic --from-beginning --consumer.config consumer.properties 
Message 1
Message 2
Message 3
^CProcessed a total of 3 messages

SASL/PLAIN with ACLs:
The username is used as the authenticated Principal, which is used in authorization (e.g. ACLs).
For usage of ACLS refer to the blog Kafka ACLs

For more information refer to the kafka documentation

1 comment on"Kafka Security Mechanism (SASL/PLAIN)"

Join The Discussion

Your email address will not be published. Required fields are marked *