Client Authentication using Delegation Tokens

Brokers authenticate clients by verifying the delegation tokens provided by the client against the stored delegation tokens. Delegation token authentication makes use of SASL/SCRAM authentication mechanism under the hood. You can configure Kafka clients in two ways, to use individually assigned delegation tokens or to use a common delegation token.

Configuring Clients on a Producer or Consumer Level

You can set up client authentication by configuring the JAAS configuration property for each client. The JAAS configuration property can be set in the producer.properties or consumer.properties file of the client. With this configuration method, you have the ability to specify different token details for each Kafka client within a JVM. As a result you can configure Kafka clients in a way that each of them use a unique token for authentication.

Example Configuration:
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule  required \
    username="tokenID" \
    password="lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA==" \
    tokenauth="true";

There are three options that need to be specified. These are the username, password and tokenauth options.

The username and password options specify the token ID and token HMAC. The tokenauth option expresses the intent to use token authentication to the server.

Configure Clients on an Application Level

With this configuration method, you can set up all clients within a JVM to use the same delegation token for authentication.

Configure Clients to use a common delegation token by completing these steps:
  1. Add a KafkaClient entry with a login module item to your JAAS configuration file. The module has to specify the username, password and tokenauth options.
    Example:
    KafkaClient {
    org.apache.kafka.common.security.scram.ScramLoginModule  required
        username="tokenID"
        password="lAYYSFmLs4bTjf+lTZ1LCHR/ZZFNA=="
        tokenauth="true";
    }
    
  2. Pass the location of your JAAS configuration file as a JVM parameter through a command line interface. This will set the JAAS configuration on the Java process level.
    export KAFKA_OPTS="-Djava.security.auth.login.config=path/to/jaas.conf"