Reputation: 41
Has anyone got a working configuration for Kafka Kraft with SASL_SSL or even just SSL enabled?
I'm trying to get a Kafka cluster with Kraft off the ground. Plan to use it in production, and the Kafka documentation recommends not running a node in the "broker,controller" mode in production. So I'm splitting up the controllers and the brokers across multiple nodes.
The standard Kafka SSL options worked ok with nodes in "broker,controller" mode, but running just in "controller" mode, they seem to not get picked up at all.
Using the standard Kafka SSL options results in the process simply not picking up the certificate. Running openssl s_client shows that the process listening on the port doesn't return a certificate.
Upvotes: 0
Views: 1338
Answers (1)
Reputation: 1
It seems like we can't configure OAuth for controllers separately. Only Brokers are supporting it. May be this is future work. If you really want to secure controllers separately then you can use other auth mechanism [SASL/SCRAM] which is provided by confluent in public documentation. KRaft Security
There is another document which I got from cloudera where they are claiming that the connection between controllers and brokers can be secured using TLS/SSL encryption, TLS/SSL authentication, and/or Kerberos authentication. But not mentioned OAuth anywhere. Cloudera Document Feel free to add comments if you already got some way to authenticate Controller-Controller and Controller-Broker communication.This can help me as well.
Upvotes: 0
Related Questions
- Kraft inter-broker communication over SSL
- Kafka Kraft - Reassign broker as broker,controller
- kafka kraft cluster is it right to set dedicated controller and dedicated broker on same machine
- Apache Kafka KRaft mode topology best practices
- Kafka cluster using KRaft, mTLS and StandardAuthorizer not starting up, getting AuthorizerNotReadyException