This article describes how to configure a server connection with SASL and Kerberos correctly.
Introduction
KaDeck supports a variety of configurations when connecting to a server using SASL.
Supported security protocols
| SASL_PLAINTEXT |
| SASL_SSL |
Supported SASL mechanisms
| PLAIN |
| GSSAPI |
| SCRAM-SHA-256 |
| SCRAM-SHA-512 |
JAAS/SASL configuration
KaDeck supports one JAAS configuration for every cluster configuration.
- Select either SASL_PLAINTEXT or SASL_SSL from the security protocol drop-down menu on the cluster dialog.
- The SASL tab becomes active.
- Click on the SASL tab and enter the JAAS configuration in the "Jaas Config" input field.
The JAAS configuration should have the following format:
<LoginModule> <flag> <LoginModule options>;
Example using ScramLoginModule:
org.apache.kafka.common.security.scram.ScramLoginModule required username="user" password="password";
Kerberos (Krb5.conf)
A JAAS configuration file, as in the following example, can be entered into the JAAS config input field as follows:
Original file / Krb5.conf (Kerberos)
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
principal="kafka-user@MYCORP.NET"
useKeyTab=true
keyTab="/home/kafka-user/kafka-user.keytab"
client=true
serviceName="kafka"
};
JAAS config input field
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true principal="kafka-user@MYCORP.NET" useKeyTab=true keyTab="/home/kafka-user/kafka-user.keytab" client=true serviceName="kafka";
Passing in a krb5.conf as startup parameter
The configuration via the SASL config input field is the preferred way and should normally be sufficient. If you still want to include a file as a Java parameter, you can find more information in our article about startup parameters.
Comments
Please sign in to leave a comment.