Kafkadevops~5 mins

SASL authentication in Kafka - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

SASL authentication helps secure Kafka by requiring users to prove their identity before connecting. It stops unauthorized users from accessing your Kafka servers.

When you want to protect your Kafka cluster from unauthorized access.

When multiple teams share the same Kafka cluster and need separate access controls.

When you want to encrypt user credentials during login to Kafka.

When you need to comply with security policies requiring authentication.

When running Kafka in a production environment where security is important.

Config File - server.properties

server.properties

listeners=SASL_PLAINTEXT://:9092
advertised.listeners=SASL_PLAINTEXT://localhost:9092
sasl.enabled.mechanisms=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN
security.inter.broker.protocol=SASL_PLAINTEXT
listener.name.sasl_plaintext.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";

This configuration file sets Kafka to use SASL with the PLAIN mechanism over plaintext connections.

listeners: Defines Kafka to listen for SASL_PLAINTEXT connections on port 9092.

advertised.listeners: Tells clients how to connect to Kafka.

sasl.enabled.mechanisms: Enables the PLAIN SASL mechanism.

sasl.mechanism.inter.broker.protocol: Sets the mechanism brokers use to talk to each other.

security.inter.broker.protocol: Uses SASL_PLAINTEXT for broker communication.

listener.name.sasl_plaintext.plain.sasl.jaas.config: Provides the username and password for authentication.

Commands

Starts the Kafka server with SASL authentication enabled using the provided configuration file.

Terminal

kafka-server-start.sh server.properties

Expected OutputExpected

[2024-06-01 12:00:00,000] INFO KafkaConfig values: listeners = SASL_PLAINTEXT://:9092 advertised.listeners = SASL_PLAINTEXT://localhost:9092 sasl.enabled.mechanisms = [PLAIN] [2024-06-01 12:00:01,000] INFO Kafka started (kafka.server.KafkaServer)

Starts a Kafka producer that connects using SASL PLAIN authentication to send messages to 'test-topic'.

Terminal

kafka-console-producer.sh --broker-list localhost:9092 --topic test-topic --producer-property sasl.mechanism=PLAIN --producer-property security.protocol=SASL_PLAINTEXT --producer-property sasl.jaas.config='org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";'

Expected OutputExpected

No output (command runs silently)

→

--producer-property sasl.mechanism=PLAIN - Specifies the SASL mechanism to use.

→

--producer-property security.protocol=SASL_PLAINTEXT - Specifies the security protocol for the connection.

→

--producer-property sasl.jaas.config='org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";'

- Provides the username and password for authentication.

Starts a Kafka consumer that connects using SASL PLAIN authentication to read messages from 'test-topic' from the beginning.

Terminal

kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic test-topic --from-beginning --consumer-property sasl.mechanism=PLAIN --consumer-property security.protocol=SASL_PLAINTEXT --consumer-property sasl.jaas.config='org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";'

Expected OutputExpected

No output (command runs silently)

→

--consumer-property sasl.mechanism=PLAIN - Specifies the SASL mechanism to use.

→

--consumer-property security.protocol=SASL_PLAINTEXT - Specifies the security protocol for the connection.

→

--consumer-property sasl.jaas.config='org.apache.kafka.common.security.plain.PlainLoginModule required username="admin" password="admin-secret";'

- Provides the username and password for authentication.

Key Concept

If you remember nothing else from this pattern, remember: SASL authentication requires both Kafka server and clients to be configured with matching security settings and credentials.

Common Mistakes

Not setting the sasl.jaas.config property on the client side.

The client cannot authenticate without the username and password, so connection fails.

Always provide sasl.jaas.config with correct credentials in client commands or config files.

Using PLAINTEXT instead of SASL_PLAINTEXT in listeners or client security.protocol.

Kafka expects SASL authentication but the connection is not secured for SASL, causing errors.

Use SASL_PLAINTEXT or SASL_SSL consistently for listeners and client security.protocol.

Mismatching SASL mechanisms between server and client (e.g., server uses PLAIN but client uses SCRAM).

Authentication fails because server and client do not agree on the method.

Ensure both server and client use the same sasl.enabled.mechanisms and sasl.mechanism settings.

Summary

Configure Kafka server with SASL settings in server.properties to enable authentication.

Start Kafka server with the SASL-enabled configuration file.

Use client commands with sasl.jaas.config and security.protocol flags to authenticate when producing or consuming messages.