Configuring SCRAM-SHA-512 authentication

Learn how to enable SCRAM-SHA-512 authentication and generate SCRAM credentials for your clients.

To enable SCRAM-SHA-512 authentication, you can specify a listener in your Kafka resource that has authentication.type set to scram-sha-512. Additionally, you create a KafkaUser resource to generate SCRAM credentials for your clients.

#...
kind: Kafka
metadata:
  name: my-cluster
  namespace: kafka
spec:
  kafka:
    listeners:
      - name: scram
        port: 9093
        type: internal
        tls: false
        authentication:
          type: scram-sha-512

To generate SCRAM credentials that your clients can use to access Kafka, you create a KafkaUser resource that has spec.authentication.type set to scram-sha-512. For example:

#...
kind: KafkaUser
metadata:
  name: my-user
  namespace: kafka
  labels:
    strimzi.io/cluster: my-cluster
spec:
  authentication:
    type: scram-sha-512

When the user specified by the KafkUser resource is created, the Strimzi User Operator creates a new secret with the same name as the KafkaUser resource. The secret contains the generated password (data.password) as well as a JAAS configuration string (data.sasl.jaas.config). The password and JAAS are encoded with Base64. As a result, they must be decoded when you retrieve them for use.

Using kubectl, you can extract both the password and JAAS. However, when configuring your clients, you typically want to extract the JAAS, as this is the string that you add to your client’s configuration. Specifically, the JAAS string you extract is the value you set for sasl.jaas.config in your Kafka client configuration. The following command example prints the full JAAS configuration generated for a user.

kubectl get secret [***SECRET NAME***] \
  --namespace [***NAMESPACE***] \
  --output jsonpath='{.data.sasl\.jaas\.config}' \
| base64 -d