You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Proper server.properties generation to enable SASL_SSL through SCRAM-SHA-512 authentication for clients.
What do you see instead?
The listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config translated as KAFKA_CFG_LISTENER_NAME_<LISTENER_NAME>_<PROTOCOL>_SASL_JAAS_CONFIG in bitnami/kafka docker-compose isn't being set properly in server.properties. Also when the jaas config file is mounted in the container the same behavior is happening.
Generated server.properties:
############################# Group Coordinator Settings #############################
# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance.
# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms.
# The default value for this is 3 seconds.
# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing.
# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup.
#group.initial.rebalance.delay.ms=0
auto.create.topics.enable=false
controller.listener.names=CONTROLLER
controller.quorum.voters=101@kafka-controller01:9093,102@kafka-controller02:9093,103@kafka-controller03:9093
inter.broker.listener.name=BROKER
listener.name.broker.ssl.client.auth=required
listener.name.controller.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="kafka-controller" password="changeit" user_kafka-controller="changeit";
listener.name.external.ssl.client.auth=required
listener.name.internal.ssl.client.auth=required
node.id=104
process.roles=broker
sasl.enabled.mechanisms=SCRAM-SHA-512
sasl.mechanism.controller.protocol=PLAIN
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512
ssl.keystore.location=/bitnami/kafka/config/certs/kafka.keystore.jks
ssl.keystore.password=changeit
ssl.keystore.type=JKS
ssl.truststore.location=/bitnami/kafka/config/certs/kafka.truststore.jks
ssl.truststore.password=changeit
ssl.client.auth=required
ssl.truststore.type=JKS
listener.name.controller.sasl.enabled.mechanisms=PLAIN
listener.name.broker.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="kafka-broker" password="changeit";
listener.name.internal.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required;
listener.name.external.scram-sha-512.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required;
Both internal and external have no defined user/password with both methods:
Name and Version
binami/kafka 3.8.0
What architecture are you using?
None
What steps will reproduce the bug?
1. JAAS set up with environment variables
2. JAAS set up with a configuration file :
3. The kafka_server_jaas.conf
4. The .env file
What is the expected behavior?
Proper
server.properties
generation to enable SASL_SSL through SCRAM-SHA-512 authentication for clients.What do you see instead?
The
listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config
translated asKAFKA_CFG_LISTENER_NAME_<LISTENER_NAME>_<PROTOCOL>_SASL_JAAS_CONFIG
in bitnami/kafka docker-compose isn't being set properly inserver.properties
. Also when the jaas config file is mounted in the container the same behavior is happening.Generated
server.properties
:Both internal and external have no defined user/password with both methods:
It's resulting on such logs on the kafka-broker01 when trying to initiate a connection with a client:
Additional information
Additional information
I am aware of those two currents issues #27566 and #41415 that the controller doesn't support SCRAM but only PLAIN.
If you have an alternative solution or if you think there are any misconfiguration please let me know, thank you.
The text was updated successfully, but these errors were encountered: