Simple Authentication and Security Layer (SASL) is a framework that allows application layers to select and implement various authentication mechanisms. SASL authenticates users and ensures that only clients with valid credentials can connect to your Kafka service, significantly improving security. This topic describes how to enable SASL and use it to connect to Kafka.
Prerequisites
A Dataflow cluster (which is a Kafka cluster) with the Kafka service selected must be created in the EMR console. For more information, see Create a Dataflow Kafka cluster.
Procedure
Step 1: Configure SASL
E-MapReduce uses the server.properties configuration file and its kafka.sasl.config.type parameter to manage its SASL configuration.
SASL is disabled by default for Kafka clusters. The following example enables SASL by using the SCRAM-SHA-512 authentication mechanism.
-
Create a user.
-
Connect to the master node of the cluster over SSH. For more information, see Log on to a cluster.
-
Run the following command to create the
adminuser.kafka-configs.sh --bootstrap-server core-1-1:9092 --alter --add-config 'SCRAM-SHA-256=[password=admin-secret],SCRAM-SHA-512=[password=admin-secret]' --entity-type users --entity-name adminNoteIn this example, the password for the
adminuser isadmin-secret. Replace this with your password.
-
-
Go to the service configuration page.
-
Log on to the E-MapReduce console.
-
In the top navigation bar, select a region and a resource group as needed.
-
Click Services in the Actions column of the target cluster.
-
On the Services page, click Configure in the Kafka service area.
-
-
Modify the SASL authentication configurations.
-
Add SASL configuration items.
On the server.properties tab of the Kafka service configuration page, add the configuration items.
-
Click Add Configuration Item.
-
In the Add Configuration Item dialog box, add the following configuration items and click OK.
Parameter
Value
sasl.mechanism.inter.broker.protocol
SCRAM-SHA-512
sasl.enabled.mechanisms
SCRAM-SHA-512
-
In the dialog box that appears, enter a reason in the Execution Reason field and click Save.
-
-
Modify the listener configuration.
-
On the Configure page, click the server.properties tab.
-
Change the value of the kafka.sasl.config.type parameter to CUSTOM and click Save.
-
In the dialog box that appears, enter a reason in the Execution Reason field and click Save.
-
-
Configure server-side JAAS.
-
Method 1: Configure server-side JAAS by adding custom configuration items.
-
On the Kafka service configuration page, click the server.properties tab.
-
Click Add Configuration Item, add the following configuration items, and then click OK.
Parameter
Value
listener.name.sasl_plaintext.sasl.enabled.mechanisms
SCRAM-SHA-512
listener.name.sasl_plaintext.scram-sha-512.sasl.jaas.config
org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret" ;
-
In the dialog box that appears, enter a reason in the Execution Reason field and click Save.
-
-
Method 2: Configure JAAS by using a configuration file.
-
On the Kafka service configuration page, modify the following configuration items and click Save.
Tab
Parameter
Value
kafka_server_jaas.conf
kafka.server.jaas.content
KafkaServer { org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret"; };server.properties
kafka_opts
-Djava.security.auth.login.config=/etc/taihao-apps/kafka-conf/kafka-conf/kafka_server_jaas.conf
-
In the dialog box that appears, enter a reason in the Execution Reason field and click Confirm.
-
-
-
Configure client-side JAAS.
Configure client-side JAAS by using the
kafka.client.jaas.contentparameter in thekafka_client_jaas.confconfiguration file. The Kafka Schema Registry and Kafka Rest Proxy components use this configuration at startup.-
On the Kafka service configuration page, modify the following configuration items and click Save.
Tab
Parameter
Value
kafka_client_jaas.conf
kafka.client.jaas.content
KafkaClient { org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret"; };schema-registry.properties
schema_registry_opts
-Djava.security.auth.login.config=/etc/taihao-apps/kafka-conf/kafka-conf/kafka_client_jaas.conf
kafka-rest.properties
kafkarest_opts
-Djava.security.auth.login.config=/etc/taihao-apps/kafka-conf/kafka-conf/kafka_client_jaas.conf
-
In the dialog box that appears, enter a reason in the Execution Reason field and click Save.
-
-
-
Restart the Kafka service.
-
On the Configure page of the Kafka service, select .
-
In the dialog box that appears, enter the execution reason, and click OK.
-
In the Confirm dialog box, click OK.
-
Step 2: Connect to Kafka with SASL
The following example uses the SCRAM-SHA-512 mechanism and Kafka's built-in producer and consumer tools to show how a client authenticates with and connects to the Kafka service.
-
Log on to the master node of the cluster by using SSH. For more information, see Log on to a cluster.
-
Create an administrator configuration file.
-
Run the following command to create the sasl_admin.properties configuration file.
vim sasl_admin.properties -
Add the following content to the file.
security.protocol=SASL_PLAINTEXT sasl.mechanism=SCRAM-SHA-512 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret";
-
-
Run the following command to create a regular user.
kafka-configs.sh --bootstrap-server core-1-1:9092 --alter --add-config 'SCRAM-SHA-256=[password=<yourUserpassword>],SCRAM-SHA-512=[password=<yourUserpassword>]' --entity-type users --entity-name <yourUsername> --command-config /root/sasl_admin.propertiesIn the command, replace
<yourUsername>and<yourUserpassword>with the new user's username and password. -
Create a user configuration file.
-
Run the following command to create the
sasl_user.propertiesconfiguration file.vim sasl_user.properties -
Add the following content to the file.
security.protocol=SASL_PLAINTEXT sasl.mechanism=SCRAM-SHA-512 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="<yourUsername>" password="<yourUserpassword>";
-
-
Run the following command to create a topic.
kafka-topics.sh --partitions 10 --replication-factor 2 --bootstrap-server core-1-1:9092 --topic test --create --command-config /root/sasl_user.propertiesIn this example, the topic name is
test. Replace this with your topic name. -
Run the following command to produce data using the SASL configuration file.
kafka-producer-perf-test.sh --topic test --num-records 123456 --throughput 10000 --record-size 1024 --producer-props bootstrap.servers=core-1-1:9092 --producer.config sasl_user.properties -
Run the following command to consume data using the SASL configuration file.
kafka-consumer-perf-test.sh --broker-list core-1-1:9092 --messages 100000000 --topic test --consumer.config sasl_user.properties
Related topics
To encrypt data transmission between a client and the server, see Use SSL to encrypt Kafka connections.