SASL/Kerberos Configuration

This article describes how to configure a server connection with SASL and Kerberos correctly. 

 

Introduction

KaDeck supports a variety of configurations when connecting to a server using SASL.

Supported security protocols

SASL_PLAINTEXT
SASL_SSL

 

Supported SASL mechanisms

PLAIN
GSSAPI
SCRAM-SHA-256
SCRAM-SHA-512

 

JAAS/SASL configuration

KaDeck supports one JAAS configuration for every cluster configuration.

  1. Select either SASL_PLAINTEXT or SASL_SSL from the security protocol drop-down menu on the cluster dialog.
  2. The SASL tab becomes active.
  3. Click on the SASL tab and enter the JAAS configuration in the "Jaas Config" input field.

The JAAS configuration should have the following format:

<LoginModule> <flag> <LoginModule options>;

Example using ScramLoginModule:

org.apache.kafka.common.security.scram.ScramLoginModule required username="user" password="password";

 

Kerberos (Krb5.conf) 

A JAAS configuration file, as in the following example, can be entered into the JAAS config input field as follows:

Original file / Krb5.conf (Kerberos)

KafkaClient {
 com.sun.security.auth.module.Krb5LoginModule required
 doNotPrompt=true
 useTicketCache=true
 principal="[email protected]"
 useKeyTab=true
 keyTab="/home/kafka-user/kafka-user.keytab"
 client=true
serviceName="kafka" };

JAAS config input field

com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true principal="[email protected]" useKeyTab=true keyTab="/home/kafka-user/kafka-user.keytab" client=true serviceName="kafka";

 

Passing in a krb5.conf as startup parameter

The configuration via the SASL config input field is the preferred way and should normally be sufficient. If you still want to include a file as a Java parameter, you can find more information in our article about startup parameters.

Was this article helpful?
3 out of 7 found this helpful

Comments

0 comments

Please sign in to leave a comment.