Basic concepts
SASL mechanisms are used by ApsaraMQ for Kafka for identity authentication. The following SASL mechanisms are used:
PLAIN: a simple authentication mechanism that is used to verify usernames and passwords. The PLAIN mechanism provided by ApsaraMQ for Kafka allows you to dynamically create SASL users without the need to restart an instance.
SCRAM: a hash-based username and password verification mechanism used on clients and brokers. Compared with the PLAIN mechanism, the SCRAM-SHA-256 encryption algorithm provides better security protection. The SCRAM-SHA-256 encryption algorithm also allows you to dynamically create SASL users without the need to restart an instance.
ApsaraMQ for Kafka implements SSL encryption to protect data security during data transmission. This prevents data interception and eavesdropping when data is being transferred over the network.
Background information
Internet: If you access ApsaraMQ for Kafka instances over the Internet, messages must be authenticated and encrypted. The PLAIN mechanism of SASL must be used together with SSL to ensure that the messages are not transferred in plaintext without being encrypted.
VPC: A VPC is an isolated network environment. If you access ApsaraMQ for Kafka instances in VPCs, messages can be transferred in a secure channel by using the PLAINTEXT protocol without being encrypted. If you have high requirements on security protection, you can perform SASL identity authentication on messages. Then, the messages are transferred in a secure channel. You can select the PLAIN or SCRAM mechanism for identity authentication based on your business requirements for security protection.
Note
The default SASL user of an ApsaraMQ for Kafka instance is used for identity authentication. The default SASL user has the permissions to read data from and write data to all topics and consumer groups created on the instance. If you want to perform fine-grained access control, enable the access control list (ACL) feature, create a SASL user, and then grant the SASL user the permissions on the resources of your ApsaraMQ for Kafka instance based on your business requirements. After you enable the ACL feature, the permissions that are granted to the default SASL user become invalid. For more information, see Grant permissions to SASL users.
Endpoints for Internet- and VPC-connected instances
You can access Internet- and VPC-connected ApsaraMQ for Kafka instances over the Internet and in VPCs. You can use the SSL endpoint, default endpoint, or SASL endpoint of your instance to connect to ApsaraMQ for Kafka from a client. For more information, see Comparison among endpoints for Internet- and VPC-connected instances.
Network type | Port | Endpoint | Protocol | Scenario |
Table 1. Comparison among endpoints for Internet- and VPC-connected instancesNetwork type | Port | Endpoint | Protocol | Scenario |
Internet | 9093 | SSL endpoint | SASL_SSL | Encryption is required during message transmission and identity authentication is required during message production and consumption. The following mechanisms are supported for identity authentication: |
VPC | 9092 | Default endpoint | PLAINTEXT | No encryption is required during message transmission and no identity authentication is required during message production and consumption. |
9094 | SASL endpoint | SASL_PLAINTEXT | No encryption is required during message transmission but identity authentication is required during message production and consumption. The following mechanisms are supported for identity authentication: |
Endpoints for VPC-connected instances
You can access VPC-connected ApsaraMQ for Kafka instances only in VPCs. You can use the default endpoint or SASL endpoint of your instance to connect to ApsaraMQ for Kafka from a client. For more information, see Comparison between endpoints for VPC-connected instances.
Network type | Port | Endpoint | Protocol | Scenario |
Table 2. Comparison between endpoints for VPC-connected instancesNetwork type | Port | Endpoint | Protocol | Scenario |
VPC | 9092 | Default endpoint | PLAINTEXT | No encryption is required during message transmission and no identity authentication is required during message production and consumption. |
9094 | SASL endpoint | SASL_PLAINTEXT | No encryption is required during message transmission but identity authentication is required during message production and consumption. The following mechanisms are supported for identity authentication: |