Use SASL PLAINTEXT in Kafka
|
NOTE
Enabling SASL PLAINTEXT authentication is done in accordance with the article SASL PLAINTEXT.
|
Check the installed SASL PLAINTEXT
-
Check the security and authentication configuration of the Kafka brokers.
On each host with a Kafka broker, issue the command:
$ vim /etc/kafka/conf/server.propertiesVerify that in the server.properties file for each Kafka broker, the lines defining the security protocol are changed to
SASL_PLAINTEXT, strings defining the authentication mechanism — toPLAIN, and also passwords for all ADS cluster services are generated:security.inter.broker.protocol=SASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=PLAIN sasl.enabled.mechanisms=PLAIN listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common$ username=kafka \ password="kafka-password" \ user_kafka="kafka-password" \ user_ksql-server="ksql-server-password" \ user_kafka-rest="kafka-rest-password" \ user_schema-registry="schema-registry-password" \ user_kafka-manager="kafka-manager-password" \ user_kafka-connect="kafka-connect-password";
-
Verify that after installing SASL PLAINTEXT, the listeners parameter in the Kafka service settings has changed from
PLAINTEXT://:9092toSASL_PLAINTEXT://:9092.
Kafka service settings
Manage users with SASL PLAINTEXT authentication in Kafka
Create a user
In order to create a user, do the following:
-
On the cluster configuration tab in the configuration settings tree, expand the SASL_PLAINTEXT Authentication node, then the SASL_PLAINTEXT Auth username:password map node and click + Add property to create a new user.
Creating a new user -
In the window that opens, enter the user name (field name), password (secret), confirm the password, and click Apply.
The username must contain lowercase letters, numbers, dots, underscores, and/or hyphens.
Name and password for the new user -
Save the configuration by clicking Save.
-
Restart the Kafka service. To do this, apply the action Restart by clicking on the
in the Actions column. -
Make sure the server.properties file for each Kafka broker has an entry for the new user:
listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common$ username=kafka \ password="kafka-password" \ user_kafka="kafka-password" \ user_ksql-server="ksql-server-password" \ user_kafka-rest="kafka-rest-password" \ user_schema-registry="schema-registry-password" \ user_kafka-manager="kafka-manager-password" \ user_kafka-connect="kafka-connect-password" \ user_new_user="password";
where:
-
user1— the name entered when the user was created; -
password— the given password for the user.
-
Delete and change user data
In order to delete a user, on the cluster configuration tab in the configuration settings tree, expand the SASL_PLAINTEXT Authentication node, then the SASL_PLAINTEXT Auth username:password map node and click 
opposite the user you want to delete.
To change user data, select the desired user, enter new data and click Apply.
After deleting a user or changing data:
-
Save the configuration by clicking Save.
-
Restart the Kafka service. To do this, apply the action Restart by clicking on the
in the Actions column.
User authentication in the Kafka environment
To authenticate each user, including the kafka user that is automatically created by the system, you need to create a special configuration file client.properties. For this you need to do:
-
Open the stub file by running the command:
$ sudo vim /etc/kafka/conf/client.properties -
Make changes to the file by uncommenting the line with the
sasl.jaas.configparameter and entering the username and password of the user as follows:security.protocol=SASL_PLAINTEXT sasl.mechanism=PLAIN # Uncomment and set necessary username/password sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ username="user1" \ password="password";where the username and password must be enclosed in quotation marks, as shown in the example.
Work with .sh files (scripts) with participation of the created user
-
Create a topic by specifying the path to the user configuration file client.properties described above using the
--command-configoption:$ /usr/lib/kafka/bin/kafka-topics.sh --create --topic test-topic --bootstrap-server localhost:9092 --command-config /etc/kafka/conf/client.propertiesIf the topic was successfully created, the following message is displayed:
Created topic test-topic.
-
Write messages to the topic by specifying the path to the user configuration file client.properties described above using the
--producer.configoption:$ /usr/lib/kafka/bin/kafka-console-producer.sh --topic test-topic --bootstrap-server localhost:9092 --producer.config /etc/kafka/conf/client.properties -
Read messages from a topic by specifying the path to the user configuration file client.properties described above using the
--consumer.configoption:$/usr/lib/kafka/bin/kafka-console-consumer.sh --topic test-topic --from-beginning --bootstrap-server sov-ads-test-4.ru-central1.internal:9092 --consumer.config /etc/kafka/conf/client.propertiesVerify the read messages are correct.
An attempt to run any script as a user that is not included in the server.properties file causes an authentication error, for example:
[2022-12-01 13:42:25,572] ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (sov-ads-test-4.ru-central1.internal/10.92.16.223:9092) failed authentication due to: Authentication failed: Invalid username or password (org.apache.kafka.clients.NetworkClient) [2022-12-01 13:42:25,574] WARN [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error (org.apache.kafka.clients.admin.internals.AdminMetadataManager) org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password Error while executing topic command : Authentication failed: Invalid username or password [2022-12-01 13:42:25,579] ERROR org.apache.kafka.common.errors.SaslAuthenticationException: Authentication failed: Invalid username or password