You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Alexey Kashavkin (Jira)" <ji...@apache.org> on 2021/07/13 11:52:00 UTC
[jira] [Issue Comment Deleted] (KAFKA-13055) Security without JAAS
configuration
[ https://issues.apache.org/jira/browse/KAFKA-13055?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Kashavkin updated KAFKA-13055:
-------------------------------------
Comment: was deleted
(was: {code:bash}
listener.name.clients.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
username="alice" \
password="alice-secret";
--
listener.name.clients-nossl.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
username="alice" \
password="alice-secret";
{code}
For experiment, I specified user alice in {{sasl.jaas.config}}, but I didn't create this user and Kafka starts correctly. What is the logic of this?)
> Security without JAAS configuration
> -----------------------------------
>
> Key: KAFKA-13055
> URL: https://issues.apache.org/jira/browse/KAFKA-13055
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0
> Reporter: Alexey Kashavkin
> Priority: Major
>
> I think that this isn't a bug, but I don't know what type to choose for this issue.
> I'm setting up kafka security with multiple listeners. Listener for broker works as plaintext and I don't want to use authentication for them. My cluster has configuration:
> {code:bash}
> listeners=BROKERS://:9091,CLIENTS://:9092,CLIENTS-NOSSL://:9093
> inter.broker.listener.name=BROKERS
> sasl.enabled.mechanisms=SCRAM-SHA-256
> listener.security.protocol.map=BROKERS:PLAINTEXT,CLIENTS:SASL_SSL,CLIENTS-NOSSL:SASL_PLAINTEXT
> {code}
> For clients, I want use SCRAM and only for them (not for brokers). But when I start broker, I see following message in log:
> {code:bash}
> ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
> java.lang.IllegalArgumentException: Could not find a 'KafkaServer' or 'clients.KafkaServer' entry in the JAAS configuration. System property 'java.security.auth.login.config' is not set
> {code}
> Why is this configuration so necessary, if I don't use authentication for brokers and SCRAM mechanism stores credentials in zookeeper? Which user do I need to add to {{sasl.jaas.config}}? I have created users who perform operations as consumers and producers. I didn't create any admin users because I don't need it. I didn't find any more detailed information in [docs|http://kafka.apache.org/documentation/#security] about why this is so necessary.
> For experiment:
> {code:bash}
> listener.name.clients.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
> username="alice" \
> password="alice-secret";
> --
> listener.name.clients-nossl.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
> username="alice" \
> password="alice-secret";
> {code}
> I specified user alice in {{sasl.jaas.config}}, but I didn't create this user and Kafka starts correctly. What is the logic of this?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)