How to Configure Authentication in Kafka: Simple Steps
To configure authentication in Kafka, enable
SASL or SSL in the broker and client properties. Set security.inter.broker.protocol and sasl.mechanism.inter.broker.protocol on brokers, and configure client security.protocol and sasl.mechanism accordingly for secure connections.Syntax
Kafka authentication is configured via properties in server.properties for brokers and client.properties for clients. Key properties include:
security.inter.broker.protocol: Protocol used between brokers (e.g., SASL_SSL).sasl.mechanism.inter.broker.protocol: SASL mechanism for broker communication (e.g., PLAIN, SCRAM-SHA-256).security.protocol: Protocol used by clients to connect (e.g., SASL_SSL).sasl.mechanism: SASL mechanism used by clients (e.g., PLAIN).
properties
security.inter.broker.protocol=SASL_SSL sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256 # Client config example security.protocol=SASL_SSL sasl.mechanism=SCRAM-SHA-256
Example
This example shows how to configure Kafka broker and client for SASL/PLAIN authentication over SSL.
properties
# Broker configuration (server.properties) listeners=SASL_SSL://:9093 advertised.listeners=SASL_SSL://localhost:9093 security.inter.broker.protocol=SASL_SSL sasl.enabled.mechanisms=PLAIN sasl.mechanism.inter.broker.protocol=PLAIN listener.name.sasl_ssl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ username="admin" \ password="admin-secret" \ user_admin="admin-secret" \ user_alice="alice-secret"; ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks ssl.keystore.password=keystore-password ssl.key.password=key-password ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks ssl.truststore.password=truststore-password # Client configuration (client.properties) security.protocol=SASL_SSL sasl.mechanism=PLAIN sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ username="alice" \ password="alice-secret"; ssl.truststore.location=/var/private/ssl/kafka.client.truststore.jks ssl.truststore.password=truststore-password
Output
Kafka broker starts with SASL/PLAIN over SSL enabled; clients authenticate using username and password securely.
Common Pitfalls
- Forgetting to enable
sasl.enabled.mechanismson the broker causes authentication failure. - Misconfiguring JAAS config strings leads to login errors.
- Not setting SSL keystore and truststore properly causes SSL handshake failures.
- Using mismatched
security.protocolbetween client and broker blocks connection.
properties
# Wrong JAAS config example (missing required keyword) listener.name.sasl_ssl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule \ username="admin" \ password="admin-secret"; # Correct JAAS config example listener.name.sasl_ssl.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ username="admin" \ password="admin-secret";
Quick Reference
| Property | Description | Example Value |
|---|---|---|
| security.inter.broker.protocol | Protocol between Kafka brokers | SASL_SSL |
| sasl.mechanism.inter.broker.protocol | SASL mechanism for broker communication | SCRAM-SHA-256 |
| sasl.enabled.mechanisms | List of enabled SASL mechanisms | PLAIN,SCRAM-SHA-256 |
| security.protocol | Protocol used by clients | SASL_SSL |
| sasl.mechanism | SASL mechanism used by clients | PLAIN |
| listener.name.sasl_ssl.plain.sasl.jaas.config | JAAS config for SASL/PLAIN | PlainLoginModule required username="user" password="pass"; |
| ssl.keystore.location | Path to SSL keystore file | /path/to/keystore.jks |
| ssl.truststore.location | Path to SSL truststore file | /path/to/truststore.jks |
Key Takeaways
Enable SASL or SSL protocols in both broker and client configurations for authentication.
Set JAAS configuration properly with the required keyword and correct credentials.
Match security.protocol and sasl.mechanism settings between clients and brokers.
Configure SSL keystore and truststore files correctly to avoid handshake errors.
Test authentication setup with simple clients before production deployment.