All Products
Search
Document Center

E-MapReduce:Connect to Kafka with SASL authentication

Last Updated:Jun 16, 2026

Simple Authentication and Security Layer (SASL) is a framework that allows application layers to select and implement various authentication mechanisms. SASL authenticates users and ensures that only clients with valid credentials can connect to your Kafka service, significantly improving security. This topic describes how to enable SASL and use it to connect to Kafka.

Prerequisites

A Dataflow cluster (which is a Kafka cluster) with the Kafka service selected must be created in the EMR console. For more information, see Create a Dataflow Kafka cluster.

Procedure

Step 1: Configure SASL

E-MapReduce uses the server.properties configuration file and its kafka.sasl.config.type parameter to manage its SASL configuration.

SASL is disabled by default for Kafka clusters. The following example enables SASL by using the SCRAM-SHA-512 authentication mechanism.

  1. Create a user.

    1. Connect to the master node of the cluster over SSH. For more information, see Log on to a cluster.

    2. Run the following command to create the admin user.

      kafka-configs.sh --bootstrap-server core-1-1:9092 --alter --add-config 'SCRAM-SHA-256=[password=admin-secret],SCRAM-SHA-512=[password=admin-secret]' --entity-type users --entity-name admin
      Note

      In this example, the password for the admin user is admin-secret. Replace this with your password.

  2. Go to the service configuration page.

    1. Log on to the E-MapReduce console.

    2. In the top navigation bar, select a region and a resource group as needed.

    3. Click Services in the Actions column of the target cluster.

    4. On the Services page, click Configure in the Kafka service area.

  3. Modify the SASL authentication configurations.

    1. Add SASL configuration items.

      On the server.properties tab of the Kafka service configuration page, add the configuration items.

      1. Click Add Configuration Item.

      2. In the Add Configuration Item dialog box, add the following configuration items and click OK.

        Parameter

        Value

        sasl.mechanism.inter.broker.protocol

        SCRAM-SHA-512

        sasl.enabled.mechanisms

        SCRAM-SHA-512

      3. In the dialog box that appears, enter a reason in the Execution Reason field and click Save.

    2. Modify the listener configuration.

      1. On the Configure page, click the server.properties tab.

      2. Change the value of the kafka.sasl.config.type parameter to CUSTOM and click Save.

      3. In the dialog box that appears, enter a reason in the Execution Reason field and click Save.

    3. Configure server-side JAAS.

      • Method 1: Configure server-side JAAS by adding custom configuration items.

        1. On the Kafka service configuration page, click the server.properties tab.

        2. Click Add Configuration Item, add the following configuration items, and then click OK.

          Parameter

          Value

          listener.name.sasl_plaintext.sasl.enabled.mechanisms

          SCRAM-SHA-512

          listener.name.sasl_plaintext.scram-sha-512.sasl.jaas.config

          org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret" ;

        3. In the dialog box that appears, enter a reason in the Execution Reason field and click Save.

      • Method 2: Configure JAAS by using a configuration file.

        1. On the Kafka service configuration page, modify the following configuration items and click Save.

          Tab

          Parameter

          Value

          kafka_server_jaas.conf

          kafka.server.jaas.content

          KafkaServer {
          org.apache.kafka.common.security.scram.ScramLoginModule required
          username="admin"
          password="admin-secret";
          };

          server.properties

          kafka_opts

          -Djava.security.auth.login.config=/etc/taihao-apps/kafka-conf/kafka-conf/kafka_server_jaas.conf

        2. In the dialog box that appears, enter a reason in the Execution Reason field and click Confirm.

    4. Configure client-side JAAS.

      Configure client-side JAAS by using the kafka.client.jaas.content parameter in the kafka_client_jaas.conf configuration file. The Kafka Schema Registry and Kafka Rest Proxy components use this configuration at startup.

      1. On the Kafka service configuration page, modify the following configuration items and click Save.

        Tab

        Parameter

        Value

        kafka_client_jaas.conf

        kafka.client.jaas.content

        KafkaClient {
        org.apache.kafka.common.security.scram.ScramLoginModule required
        username="admin"
        password="admin-secret";
        };

        schema-registry.properties

        schema_registry_opts

        -Djava.security.auth.login.config=/etc/taihao-apps/kafka-conf/kafka-conf/kafka_client_jaas.conf

        kafka-rest.properties

        kafkarest_opts

        -Djava.security.auth.login.config=/etc/taihao-apps/kafka-conf/kafka-conf/kafka_client_jaas.conf

      2. In the dialog box that appears, enter a reason in the Execution Reason field and click Save.

  4. Restart the Kafka service.

    1. On the Configure page of the Kafka service, select More > Restart.

    2. In the dialog box that appears, enter the execution reason, and click OK.

    3. In the Confirm dialog box, click OK.

Step 2: Connect to Kafka with SASL

The following example uses the SCRAM-SHA-512 mechanism and Kafka's built-in producer and consumer tools to show how a client authenticates with and connects to the Kafka service.

  1. Log on to the master node of the cluster by using SSH. For more information, see Log on to a cluster.

  2. Create an administrator configuration file.

    1. Run the following command to create the sasl_admin.properties configuration file.

      vim sasl_admin.properties
    2. Add the following content to the file.

      security.protocol=SASL_PLAINTEXT
      sasl.mechanism=SCRAM-SHA-512
      sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret";
  3. Run the following command to create a regular user.

    kafka-configs.sh --bootstrap-server core-1-1:9092 --alter --add-config 'SCRAM-SHA-256=[password=<yourUserpassword>],SCRAM-SHA-512=[password=<yourUserpassword>]' --entity-type users --entity-name <yourUsername> --command-config /root/sasl_admin.properties

    In the command, replace <yourUsername> and <yourUserpassword> with the new user's username and password.

  4. Create a user configuration file.

    1. Run the following command to create the sasl_user.properties configuration file.

      vim sasl_user.properties
    2. Add the following content to the file.

      security.protocol=SASL_PLAINTEXT
      sasl.mechanism=SCRAM-SHA-512
      sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="<yourUsername>" password="<yourUserpassword>";
  5. Run the following command to create a topic.

    kafka-topics.sh --partitions 10 --replication-factor 2 --bootstrap-server core-1-1:9092 --topic test --create --command-config /root/sasl_user.properties

    In this example, the topic name is test. Replace this with your topic name.

  6. Run the following command to produce data using the SASL configuration file.

    kafka-producer-perf-test.sh --topic test --num-records 123456 --throughput 10000 --record-size 1024 --producer-props bootstrap.servers=core-1-1:9092 --producer.config sasl_user.properties
  7. Run the following command to consume data using the SASL configuration file.

    kafka-consumer-perf-test.sh --broker-list core-1-1:9092 --messages 100000000 --topic test --consumer.config sasl_user.properties

Related topics

To encrypt data transmission between a client and the server, see Use SSL to encrypt Kafka connections.