Kafka configure jaas using sasl.jaas.config on kubernetes

9/13/2018

I'm using this helm chart: https://github.com/helm/charts/tree/master/incubator/kafka

and these overrides in values.yaml

configurationOverrides:
  advertised.listeners: |-
    EXTERNAL://kafka-${KAFKA_BROKER_ID}.host-removed:$((31090 + ${KAFKA_BROKER_ID}))
  listener.security.protocol.map: |-
    PLAINTEXT:SASL_PLAINTEXT,EXTERNAL:SASL_PLAINTEXT
  sasl.enabled.mechanisms: SCRAM-SHA-256
  auto.create.topics.enable: false
  inter.broker.listener.name: PLAINTEXT
  sasl.mechanism.inter.broker.protocol: SCRAM-SHA-256
  listener.name.EXTERNAL.scram-sha-256.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="user" password="password";

based on this documentation: https://kafka.apache.org/documentation/#security_jaas_broker

(quick summary)

Brokers may also configure JAAS using the broker configuration property sasl.jaas.config. The property name must be prefixed with the listener prefix including the SASL mechanism, i.e. listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config. Only one login module may be specified in the config value. If multiple mechanisms are configured on a listener, configs must be provided for each mechanism using the listener and mechanism prefix

listener.name.sasl_ssl.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
    username="admin" \
    password="admin-secret";

The problem is that when I start Kafka I get the following error:

java.lang.IllegalArgumentException: Could not find a 'KafkaServer' or 'plaintext.KafkaServer' entry in the JAAS configuration. System property 'java.security.auth.login.config' is not set

According to the order of precedence, it should use the static jass file if the above config is NOT set.

If JAAS configuration is defined at different levels, the order of precedence used is:
  • Broker configuration property listener.name.{listenerName}.{saslMechanism}.sasl.jaas.config
  • {listenerName}.KafkaServer section of static JAAS configuration
  • KafkaServer section of static JAAS configuration

The helm chart doesn't support a way to configure this jaas file so using this property seems to be the desired way, I'm just confused as to what is configured incorrectly.

Note: The cluster works fine if I disable all SASL and just use plain text but that's not much good in a real environment.

-- Chris Edwards
apache-kafka
kubernetes
kubernetes-helm

1 Answer

9/13/2018

We've defined 2 listeners: PLAINTEXT and EXTERNAL. You've mapped both to SASL_PLAINTEXT.

Is this really what you wanted to do? or did you want PLAINTEXT to not require SASL but just be Plaintext?

  • If you really want both to be SASL, then both of them need a JAAS configuration. In your question, I only see a JAAS configuration for EXTERNAL:

    listener.name.EXTERNAL.scram-sha-256.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="user" password="password";

    As you've mapped PLAINTEXT to SASL_PLAINTEXT, it also requires a JAAS configuration. You can specify it using for example:

     listener.name.PLAINTEXT.scram-sha-256.sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username="user" password="password";
  • If you wanted your PLAINTEXT listener to actually be Plaintext without SASL, then you need to update the listener mapping:

    listener.security.protocol.map: |-
      PLAINTEXT:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT
-- Mickael Maison
Source: StackOverflow