0
0
Kafkadevops~10 mins

SASL authentication in Kafka - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - SASL authentication
Client starts connection
Client sends SASL handshake request
Server responds with supported SASL mechanisms
Client selects SASL mechanism and sends authentication data
Server verifies authentication data
If authentication succeeds
Connection established
If authentication fails
Connection closed
This flow shows how a Kafka client and server use SASL to securely authenticate before establishing a connection.
Execution Sample
Kafka
props.put("security.protocol", "SASL_PLAINTEXT");
props.put("sasl.mechanism", "PLAIN");
props.put("sasl.jaas.config", "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"user\" password=\"pass\";");
This code configures a Kafka client to use SASL PLAIN authentication with username and password.
Process Table
StepActionClient MessageServer ResponseResult
1Client starts connectionConnect requestAwait SASL handshakeConnection initiated
2Client sends SASL handshake requestSASL handshake requestSASL mechanisms list: PLAIN, SCRAM-SHA-256Client learns mechanisms
3Client selects mechanism and sends auth dataSASL auth data (username/password)Verify credentialsServer checks credentials
4Server verifies authenticationN/AAuthentication successConnection established
5If credentials wrongSASL auth dataAuthentication failureConnection closed
💡 Execution stops when authentication succeeds or fails, ending connection setup.
Status Tracker
VariableStartAfter Step 2After Step 3Final
connection_stateDisconnectedHandshake sentAuth data sentAuthenticated or Closed
sasl_mechanismNoneReceived listSelected PLAINUsed for auth
auth_statusNoneNonePendingSuccess or Failure
Key Moments - 2 Insights
Why does the client send a SASL handshake request before authentication data?
The handshake lets the client know which SASL mechanisms the server supports (see execution_table step 2). Without this, the client wouldn't know how to authenticate.
What happens if the server rejects the authentication data?
The server sends an authentication failure response and closes the connection (see execution_table step 5). The client cannot proceed without valid credentials.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 3, what does the client send?
ASASL auth data (username/password)
BConnection close request
CSASL handshake request
DList of supported mechanisms
💡 Hint
Check the 'Client Message' column at step 3 in the execution_table.
At which step does the server verify the client's credentials?
AStep 2
BStep 4
CStep 3
DStep 1
💡 Hint
Look at the 'Server Response' and 'Result' columns in the execution_table for step 4.
If the client changes the SASL mechanism to SCRAM-SHA-256, which execution_table step would change?
AStep 2 - Server lists mechanisms
BStep 4 - Server verifies authentication
CStep 3 - Client selects mechanism and sends auth data
DStep 5 - Authentication failure
💡 Hint
Changing the mechanism affects what the client sends in step 3.
Concept Snapshot
SASL authentication in Kafka:
- Client starts connection
- Client sends SASL handshake request
- Server replies with supported mechanisms
- Client selects mechanism and sends credentials
- Server verifies and accepts or rejects
Use properties: security.protocol, sasl.mechanism, sasl.jaas.config
Full Transcript
SASL authentication in Kafka starts when the client initiates a connection. The client sends a SASL handshake request to learn which authentication methods the server supports. The server responds with a list of mechanisms like PLAIN or SCRAM-SHA-256. The client then picks one mechanism and sends the authentication data, such as username and password. The server checks these credentials. If they are correct, the connection is established. If not, the server closes the connection. This process ensures secure authentication before any data is exchanged.