Learn how to configure Kafka clients for PAM authentication.
You can enable Kafka to use PAM for client to broker authentication. Client
configuration is done by adding the required properties to the client's
client.properties
file.
- Set the SASL mechanism to PLAIN.
Add the following property to the
client.properties
file.
- Configure the security protocol.
You can either use
SASL_SSL
or
SASL_PLAINTEXT
. Which
security protocol you use will depend on whether or not SSL encryption is enabled on the
broker. Add one of the following properties to the
client.properties
file.
- Configure the JAAS.
You have two options when configuring the
JAAS:
- Embed the required properties in the
client.properties
file
with the sasl.jaas.config
property.
sasl.jaas.config= \
org.apache.kafka.common.security.plain.PlainLoginModule required \
username="[USERNAME]" \
password="[PASSWORD]";
Replace [USERNAME] and [PASSWORD] with a
valid username and password.
- Use a separate JAAS config file:
- Add a KafkaClient entry with a login module item to your JAAS configuration
file.
Example
configuration:
KafkaClient {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="[USERNAME]"
password="[PASSWORD]";
};
Replace
[USERNAME] and [PASSWORD] with a valid
username and password.
- Pass the location of your JAAS configuration file as a JVM parameter through a
command line
interface
export KAFKA_OPTS="-Djava.security.auth.login.config=[PATH_TO_JAAS.CONF]"
Replace
[PATH_TO_JAAS.CONF] with the location of the JAAS
configuration file you created.
PAM authentication is configured for the client.