Use Kerberos authentication
Learn how and when to configure Kerberos authentication.
LDAP authentication is generally easier to configure for remote clients, because it does not require Kerberos libraries or clients to be installed and the remote clients do not need direct connectivity to your Kerberos or LDAP server.
In some situations, though, Kerberos authentication may be required and/or preferred. In this
section, you run the same
kafka-console-consumer command you used for
LDAP authentication, but this time using Kerberos authentication to demonstrate the
When using Kerberos, you can use two different sources for the authentication credentials: a
ticket cache or a
keytab. The ticket cache is the
place where the Kerberos ticket for a user is stored after the user authenticates
successfully. You can use the ticket cache when the user has been already authenticated
using a username and password. The keytab is a special and sensitive file that contains
the user credentials. Keytabs do not require that the user authenticates previously.
In this example, you create a new configuration file called
client-kerberos.properties, which is similar to the
client-ldap.properties file that you used in the previous example
but with Kerberos-specific parameters. You also need an additional configuration file,
which you call either
jaas-keytab.conf, depending on the credentials source you use. This
JAAS configuration file is used to communicate the authentication credentials source
(ticket cache or keytab) to the Kafka client.
For more details on how to enable Kerberos authentication for Kafka, see Enable Kerberos authentication for Kafka clients.