0
0
KafkaHow-ToBeginner · 4 min read

How to Enable SASL Authentication in Apache Kafka

To enable SASL in Kafka, configure the server.properties file with security.inter.broker.protocol=SASL_PLAINTEXT or SASL_SSL and set sasl.mechanism.inter.broker.protocol. Also, configure sasl.enabled.mechanisms and provide JAAS login modules for authentication. Restart Kafka brokers after these changes.
📐

Syntax

To enable SASL in Kafka, you need to set these key properties in server.properties:

  • security.inter.broker.protocol: Protocol used between brokers, e.g., SASL_PLAINTEXT or SASL_SSL.
  • sasl.mechanism.inter.broker.protocol: SASL mechanism for inter-broker communication, e.g., PLAIN, GSSAPI.
  • sasl.enabled.mechanisms: List of SASL mechanisms enabled, e.g., PLAIN,GSSAPI.
  • JAAS configuration file specifying login modules for authentication.
properties
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN

# JAAS config file path set via JVM option
-Djava.security.auth.login.config=/path/to/kafka_server_jaas.conf
💻

Example

This example shows how to enable SASL/PLAIN authentication on a Kafka broker using SASL_PLAINTEXT protocol.

properties
# server.properties
listeners=SASL_PLAINTEXT://:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN

# JAAS config file kafka_server_jaas.conf
KafkaServer {
  org.apache.kafka.common.security.plain.PlainLoginModule required
  username="admin"
  password="admin-secret"
  user_admin="admin-secret";
};
Output
Kafka broker starts with SASL/PLAIN enabled on port 9092, requiring clients to authenticate with username and password.
⚠️

Common Pitfalls

Common mistakes when enabling SASL in Kafka include:

  • Not setting security.inter.broker.protocol to a SASL-enabled protocol.
  • Forgetting to specify sasl.mechanism.inter.broker.protocol matching the JAAS config.
  • Not providing or incorrectly formatting the JAAS login configuration file.
  • Not restarting Kafka brokers after configuration changes.
  • Clients not configured to use SASL matching the broker settings.
properties
## Wrong: Missing inter-broker protocol
security.inter.broker.protocol=PLAINTEXT

## Right: Use SASL enabled protocol
security.inter.broker.protocol=SASL_PLAINTEXT
📊

Quick Reference

PropertyDescriptionExample Value
security.inter.broker.protocolProtocol for broker communicationSASL_PLAINTEXT
sasl.mechanism.inter.broker.protocolSASL mechanism for inter-brokerPLAIN
sasl.enabled.mechanismsList of enabled SASL mechanismsPLAIN,GSSAPI
listenersBroker listeners with SASLSASL_PLAINTEXT://:9092
java.security.auth.login.configPath to JAAS config file/path/to/kafka_server_jaas.conf

Key Takeaways

Set security.inter.broker.protocol to a SASL-enabled protocol like SASL_PLAINTEXT or SASL_SSL.
Configure sasl.mechanism.inter.broker.protocol to match your authentication mechanism.
Provide a correct JAAS login configuration file for Kafka broker authentication.
Restart Kafka brokers after changing SASL settings to apply them.
Ensure Kafka clients are configured to use SASL with matching mechanisms.

Related by keyword

How to Start Kafka Server: Simple Steps to Run Apache KafkaGetting StartedWhat is Apache Kafka: Overview and Use CasesGetting StartedHow to Use kafka-topics Command in Apache KafkaTopic ManagementWhat is enable.auto.commit in Kafka: Explanation and UsageConsumerHow to Scale Kafka Cluster: Simple Steps to Grow Your Kafka SetupAdministration

Up next

How to Use Kafka Manager: Setup and Basic OperationsWhat is min.insync.replicas in Kafka and How It WorksHow to Configure Kafka Consumer in Spring BootHow to Configure Kafka Producer in Spring Boot

More in Security

How to Configure Authentication in Kafka: Simple StepsHow to Enable SSL in Kafka for Secure CommunicationHow to Encrypt Data in Kafka: Simple Steps and ExamplesHow to Secure Kafka: Best Practices and Configuration