You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Sunil Kumar <ks...@gmail.com> on 2022/02/08 02:46:57 UTC
encrypt the password in jaas conf
Hi,
We have a requirement to encrypt the passwords defined in the kafka jaas
conf file after enabling SASL_SSL while starting the broker we are passing
the kafka jaas conf file as export argument in the kafka start script.
JIRA issue is reported is https://issues.apache.org/jira/browse/KAFKA-13652
for the same above problem.
Please suggest if it is already addressed or alternative ways.
Thanks,
KSunil
Re: encrypt the password in jaas conf
Posted by Sunil Kumar <ks...@gmail.com>.
Hi,
Can anyone update me on the solution requested to encrypt the credentials
in kafka jaas conf file and in server.properties.
Thanks,
KSunil
On Tue, Feb 8, 2022 at 10:46 AM Sunil Kumar <ks...@gmail.com> wrote:
> Hi,
>
> We have a requirement to encrypt the passwords defined in the kafka jaas
> conf file after enabling SASL_SSL while starting the broker we are passing
> the kafka jaas conf file as export argument in the kafka start script.
> JIRA issue is reported is
> https://issues.apache.org/jira/browse/KAFKA-13652 for the same above
> problem.
>
> Please suggest if it is already addressed or alternative ways.
>
>
>
> Thanks,
> KSunil
>
>
>
RE: encrypt the password in jaas conf
Posted by Bill Gibson <bi...@microfocus.com>.
For SASL/PLAIN, an option for client code is to use the sasl.jaas.config property instead of a jaas property file.
You can store the password encrypted, decrypt it at runtime, and set the "sasl.jaas.config" property in the client configuration properties.
I have used this method.
For the broker jaas configuration, you might be able to keep plaintext password out of a file by setting the broker sasl.jaas.config property at runtime with kafka-configs.sh.
The Kafka docs say this property can be dynamically updated per-broker.
https://kafka.apache.org/documentation/#brokerconfigs_sasl.jaas.config
I have not tried setting the broker property dynamically.
The docs say you can avoid plaintext stored passwords by using a SASL callback handler to decrypt credentials.
https://kafka.apache.org/documentation/#security_sasl_plain_production
Bill
-----Original Message-----
From: Luke Chen <sh...@gmail.com>
Sent: Monday, February 7, 2022 10:47 PM
To: Kafka Users <us...@kafka.apache.org>
Subject: Re: encrypt the password in jaas conf
Hi KSunil,
Sorry, there's no encryption support for kafka jaas configuration.
You could consider to configure SCRAM for stronger security.
ref:
https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_scram.html
Thank you.
Luke
On Tue, Feb 8, 2022 at 1:06 PM Sunil Kumar <ks...@gmail.com> wrote:
> Hi,
>
> We have a requirement to encrypt the passwords defined in the kafka
> jaas conf file after enabling SASL_SSL while starting the broker we
> are passing the kafka jaas conf file as export argument in the kafka start script.
> JIRA issue is reported is
> https://issues.apache.org/jira/browse/KAFKA-13652
> for the same above problem.
>
> Please suggest if it is already addressed or alternative ways.
>
>
>
> Thanks,
> KSunil
>
Re: encrypt the password in jaas conf
Posted by Luke Chen <sh...@gmail.com>.
Hi KSunil,
Sorry, there's no encryption support for kafka jaas configuration.
You could consider to configure SCRAM for stronger security.
ref:
https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_scram.html
Thank you.
Luke
On Tue, Feb 8, 2022 at 1:06 PM Sunil Kumar <ks...@gmail.com> wrote:
> Hi,
>
> We have a requirement to encrypt the passwords defined in the kafka jaas
> conf file after enabling SASL_SSL while starting the broker we are passing
> the kafka jaas conf file as export argument in the kafka start script.
> JIRA issue is reported is
> https://issues.apache.org/jira/browse/KAFKA-13652
> for the same above problem.
>
> Please suggest if it is already addressed or alternative ways.
>
>
>
> Thanks,
> KSunil
>