General SASL/Keberos configuration

General SASL/Keberos configuration

This article describes how to configure a server connection with SASL and Kerberos correctly. 

Introduction

Kadeck supports a variety of configurations when connecting to a server using SASL.

Supported security protocols

SASL_PLAINTEXT
SASL_SSL

 

Supported SASL mechanisms

PLAIN
GSSAPI
SCRAM-SHA-256
SCRAM-SHA-512

 

JAAS/SASL configuration

Kadeck supports one JAAS configuration for every cluster configuration.
  1. Select either SASL_PLAINTEXT or SASL_SSL from the security protocol drop-down menu on the cluster dialog.
  2. The SASL tab becomes active.
  3. Click on the SASL tab and enter the JAAS configuration in the "Jaas Config" input field.
The JAAS configuration should have the following format:
  1. <LoginModule> <flag> <LoginModule options>;

Example using ScramLoginModule:

  1. org.apache.kafka.common.security.scram.ScramLoginModule required username="user" password="password";

Kerberos (Krb5.conf) 

A JAAS configuration file, as in the following example, can be entered into the JAAS config input field as follows:

Original file / Krb5.conf (Kerberos)

KafkaClient {
 com.sun.security.auth.module.Krb5LoginModule required
 doNotPrompt=true
 useTicketCache=true
 principal="kafka-user@MYCORP.NET"
 useKeyTab=true
 keyTab="/home/kafka-user/kafka-user.keytab"
 client=true
 serviceName="kafka"
};

JAAS config input field

com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true principal="kafka-user@MYCORP.NET" useKeyTab=true keyTab="/home/kafka-user/kafka-user.keytab" client=true serviceName="kafka";

 

Passing in a krb5.conf as startup parameter

The configuration via the SASL config input field is the preferred way and should normally be sufficient.


    • Related Articles

    • Startup Parameters / Environment variables

      The following list of startup parameters needs to be supplied through environment variables to the Kadeck Teams instance. Prefix "xeotek_kadeck_" required All values in the table need to be prefixed with 'xeotek_kadeck_', e.g. xeotek_kadeck_secret. ...

    • Mounting a keytab file

      If you need to specify a keytab file when running Kadeck on your local machine to connect to your Apache Kafka cluster, you need to create a volume containing the keytab of your certificate and mount it to your Docker container. Mounting the keytab ...

    • General upgrade information

      The process of upgrading a single, distributed, or clustered Kadeck Teams instance is straightforward. In many cases, you upgrade the software by installing the latest distribution over your existing installation. The following requirements must be ...

    • Connect to Amazon MSK

      This article describes how to connect Kadeck Teams and Kadeck Desktop to Amazon MSK. Important note: Connecting to Amazon MSK with Kadeck Teams is straight forward if Kadeck Teams is deployed inside the same VPC (e.g., as EC2 or ECS instance). Learn ...

    • Quota Management

      A quota can be applied to limit network and resource utilization for Kafka to only specific users and/or clients. To use user level quotas, authentication via Kerberos or TLS certificates must be enabled in your Apache Kafka setup. Note that ...