CODEWITHSUNDEEP
apache-kafkasaslkraft
Firecow
Firecow

Reputation: 591

Need Kafka KRAFT SASL_PLAINTEXT

I’m trying to get Kafka in kraft mode up n’ running with SASL_PLAINTEXT

I’ve got a functioning kafka broker/controller up n’ running locally, without SASL using this servier.properties

process.roles=broker,controller
node.id=1
controller.quorum.voters=1@localhost:9093
listeners=PLAINTEXT://:9092,CONTROLLER://:9093
inter.broker.listener.name=PLAINTEXT
advertised.listeners=PLAINTEXT://:9092
controller.listener.names=CONTROLLER
listener.security.protocol.map=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT

I’ve bound ports from the kafka docker container 9092 to 9092 on the host

kafka-topics.sh --list --bootstrap-server localhost:9092
kafka-topics.sh --bootstrap-server localhost:9092 --topic test --create --partitions 2 --replication-factor 1

Works like a charm, and I can produce and consume. Docker container logs looks good as well.

I need some users to handle ACL on our topics, so I thought it was easy to just replace all PLAINTEXT fields with SASL_PLAINTEXT, I was wrong!!

We handle encryption on another level, so SASL_PLAINTEXT is sufficient, we don't need SASL_SSL

This is the config/kraft/sasl_server.properties i've been trying out so far, with no luck.

I've constructed this properties file by reading this https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_plain.html

process.roles=broker,controller
node.id=1
controller.quorum.voters=1@localhost:9094
listeners=SASL_PLAINTEXT://:9092,CONTROLLER://:9094
advertised.listeners=SASL_PLAINTEXT://:9092
controller.listener.names=CONTROLLER
listener.security.protocol.map=CONTROLLER:SASL_PLAINTEXT,SASL_PLAINTEXT:SASL_PLAINTEXT

sasl.enabled.mechanisms=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN
security.inter.broker.protocol=SASL_PLAINTEXT

sasl.mechanism=PLAIN
security.protocol=SASL_PLAINTEXT
listener.name.controller.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
  username="admin" \
  password="admin-secret" \
  user_admin="admin-secret";
plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
   username="admin" \
   password="admin-secret";

I’m getting this error

java.lang.IllegalArgumentException: Could not find a 'KafkaServer' or 'controller.KafkaServer' entry in the JAAS configuration. System property 'java.security.auth.login.config' is not set

What am I doing wrong here?

Upvotes: 3

Views: 5462

Answers (2)

Luong Trung Kien
Luong Trung Kien

Reputation: 13

Kafka with kraft is not really dynamic because it supports only plain. PLAIN is not really as comfortable and secure as SCRAM auth – you can only add users with full restart of the cluster.

Ref: https://forum.confluent.io/t/self-hosted-kafka-with-kraft-ssl-and-sasl-scram-sha-256/8863/3

Upvotes: 0

Firecow
Firecow

Reputation: 591

process.roles=$KAFKA_PROCESS_ROLES
node.id=$KAFKA_NODE_ID
controller.quorum.voters=$KAFKA_CONTROLLER_QUORUM_VOTERS

listeners=BROKER://:9092,CONTROLLER://:9093
advertised.listeners=BROKER://:9092
listener.security.protocol.map=BROKER:SASL_PLAINTEXT,CONTROLLER:SASL_PLAINTEXT

inter.broker.listener.name=BROKER
controller.listener.names=CONTROLLER

sasl.enabled.mechanisms=PLAIN
sasl.mechanism.controller.protocol=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN

listener.name.broker.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
    username="admin" \
    password="$KAFKA_ADMIN_PASSWORD" \
    user_admin="$KAFKA_ADMIN_PASSWORD";

listener.name.controller.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
    username="admin" \
    password="$KAFKA_ADMIN_PASSWORD" \
    user_admin="$KAFKA_ADMIN_PASSWORD";

Here is a working configuration.

sasl.mechanism.controller.protocol=PLAIN was important.

Upvotes: 5

Related Questions