kafka-jaas.config

Overview

The `kafka-jaas.config` file is a configuration file used by Apache Kafka to define Java Authentication and Authorization Service (JAAS) settings. This file specifies the login module and credentials for authenticating Kafka clients and brokers using SASL/PLAIN mechanism. It enables Kafka to securely identify and authorize users or services attempting to connect to the Kafka cluster.

This particular file configures a JAAS login context named `KafkaServer` that uses the `PlainLoginModule` for simple username-password authentication. It defines an administrative user as well as other Kafka users with their respective credentials.

Configuration Structure and Purpose

The JAAS configuration syntax in this file follows the general format:

<loginContextName> {
    <loginModuleClass> <controlFlag>
    <options>;
};

• loginContextName (KafkaServer): This is the context that Kafka references when initializing SASL authentication on the server side.

• loginModuleClass (org.apache.kafka.common.security.plain.PlainLoginModule): Specifies the class that performs the actual authentication using plain text username and password.

• controlFlag (required): Indicates that this login module is mandatory for authentication.

• options: Key-value pairs providing configuration parameters to the login module.

Detailed Explanation of Configuration Entries

KafkaServer Login Context

KafkaServer {
    org.apache.kafka.common.security.plain.PlainLoginModule required
    serviceName="kafka"
    username="admin"
    password="admin-secret"
    user_admin="admin-secret"
    user_camel="camel-secret";
};

• serviceName="kafka"
  Identifies the service name that this login module authenticates against. Kafka clients and brokers using SASL/PLAIN must specify the same service name.

• username="admin" and password="admin-secret"
  These are the credentials for the principal user, typically the Kafka broker or server itself.

• user_admin="admin-secret" and user_camel="camel-secret"
  These define additional Kafka users with their respective passwords. These users can authenticate against the Kafka cluster using SASL/PLAIN.

  • user_admin corresponds to the user admin with password admin-secret.

  • user_camel corresponds to the user camel with password camel-secret.

Usage Example

This JAAS configuration file is referenced by Kafka broker or client processes via the system property:

-Djava.security.auth.login.config=/path/to/kafka-jaas.config

Example Kafka broker startup command snippet:

kafka-server-start.sh config/server.properties \
  -Djava.security.auth.login.config=/etc/kafka/kafka-jaas.config

This enables the Kafka server to authenticate clients connecting with SASL/PLAIN mechanism using the credentials defined in this JAAS config.

Important Implementation Details

• PlainLoginModule:
  This module implements a simple username-password authentication mechanism. It is not secure on its own and should be combined with TLS/SSL encryption to protect credentials in transit.

• Multiple users:
  The configuration allows defining multiple users by prepending user_ to the username and assigning passwords. This enables Kafka to authenticate multiple clients with different credentials.

• Scope:
  This file is specifically used by Kafka brokers and clients that require SASL/PLAIN authentication. It does not contain any logic or executable code but acts as a declarative configuration.

Interaction with Other System Components

• Kafka Broker:
  The broker uses this JAAS config file to authenticate incoming client connections that use SASL/PLAIN. It checks the username and password against those specified here.

• Kafka Clients:
  Clients must be configured with matching SASL/PLAIN credentials and the same serviceName to authenticate successfully with the broker.

• ZooKeeper:
  This file does not interact directly with ZooKeeper but is part of the Kafka security infrastructure.

• Security Layer:
  Works in conjunction with SSL/TLS settings to secure communication channels and protect credentials.

Mermaid Diagram

Below is a flowchart illustrating how the `kafka-jaas.config` fits into the Kafka SASL authentication workflow:

flowchart TD
    Client["Kafka Client"]
    Broker["Kafka Broker"]
    JAASConfig["kafka-jaas.config\n(PlainLoginModule)"]
    SASL_PLAIN["SASL/PLAIN Auth"]
    Credentials["Username & Password"]
    AuthResult["Authentication Result"]

    Client -->|Sends Credentials| SASL_PLAIN
    Broker -->|Uses| JAASConfig
    SASL_PLAIN -->|Validates Credentials\nusing JAASConfig| JAASConfig
    SASL_PLAIN -->|Success or Failure| AuthResult
    AuthResult --> Broker
    AuthResult --> Client

Summary

• kafka-jaas.config provides SASL/PLAIN authentication credentials for Kafka brokers and clients.

• It defines a login context KafkaServer using PlainLoginModule with required control.

• Contains usernames and passwords for multiple users.

• Used by Kafka processes via JVM system property to enable authentication.

• Must be paired with secure transport (SSL/TLS) to ensure confidentiality.

• Integral part of Kafka’s security configuration enabling controlled access to the Kafka cluster.

This documentation provides a comprehensive understanding of the `kafka-jaas.config` file, its role in Kafka security, and how it supports SASL/PLAIN authentication workflows.