This article describes how to configure a server connection with SASL and Kerberos correctly.
Introduction
Kadeck supports a variety of configurations when connecting to a server using SASL.
Supported security protocols
Supported SASL mechanisms
PLAIN |
GSSAPI |
SCRAM-SHA-256 |
SCRAM-SHA-512 |
JAAS/SASL configuration
Kadeck supports one JAAS configuration for every cluster configuration.
- Select either SASL_PLAINTEXT or SASL_SSL from the security protocol drop-down menu on the cluster dialog.
- The SASL tab becomes active.
- Click on the SASL tab and enter the JAAS configuration in the "Jaas Config" input field.
The JAAS configuration should have the following format:
- <LoginModule> <flag> <LoginModule options>;
Example using ScramLoginModule:
org.apache.kafka.common.security.scram.ScramLoginModule required username="user" password="password";
Kerberos (Krb5.conf)
A JAAS configuration file, as in the following example, can be entered into the JAAS config input field as follows:
Original file / Krb5.conf (Kerberos)
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
principal="kafka-user@MYCORP.NET"
useKeyTab=true
keyTab="/home/kafka-user/kafka-user.keytab"
client=true
serviceName="kafka"
};
JAAS config input field
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true principal="kafka-user@MYCORP.NET" useKeyTab=true keyTab="/home/kafka-user/kafka-user.keytab" client=true serviceName="kafka";
Passing in a krb5.conf as startup parameter
The configuration via the SASL config input field is the preferred way and should normally be sufficient.
Related Articles
Startup Parameters / Environment variables
The following list of startup parameters needs to be supplied through environment variables to the Kadeck Teams instance. Prefix "xeotek_kadeck_" required All values in the table need to be prefixed with 'xeotek_kadeck_', e.g. xeotek_kadeck_secret. ...
Mounting a keytab file
If you need to specify a keytab file when running Kadeck on your local machine to connect to your Apache Kafka cluster, you need to create a volume containing the keytab of your certificate and mount it to your Docker container. Mounting the keytab ...
General upgrade information
The process of upgrading a single, distributed, or clustered Kadeck Teams instance is straightforward. In many cases, you upgrade the software by installing the latest distribution over your existing installation. The following requirements must be ...
Connect to Amazon MSK
This article describes how to connect Kadeck Teams and Kadeck Desktop to Amazon MSK. Important note: Connecting to Amazon MSK with Kadeck Teams is straight forward if Kadeck Teams is deployed inside the same VPC (e.g., as EC2 or ECS instance). Learn ...
Quota Management
A quota can be applied to limit network and resource utilization for Kafka to only specific users and/or clients. To use user level quotas, authentication via Kerberos or TLS certificates must be enabled in your Apache Kafka setup. Note that ...