Use SASL to authenticate Kafka services - E-MapReduce - Alibaba Cloud Documentation Center

Simple Authentication and Security Layer (SASL) ensures that only clients with valid credentials can connect to Kafka brokers. By default, SASL is disabled for E-MapReduce (EMR) Kafka clusters. This topic walks you through enabling SASL with the SCRAM-SHA-512 mechanism, configuring broker and client authentication, and verifying the setup.

Prerequisites

A Dataflow cluster is created in the E-MapReduce (EMR) console, and Kafka is selected when you create the cluster. For more information, see Create a Dataflow Kafka cluster.

Create an admin user

EMR manages SASL through the kafka.sasl.config.type configuration item in the server.properties configuration file.

Log on to the master node of your cluster in SSH mode. For more information, see Log on to a cluster.

Run the following command to create an admin user:

Note

In this example, the password of the admin user is admin-secret. Specify a password based on your business requirements.

   kafka-configs.sh --bootstrap-server core-1-1:9092 --alter --add-config 'SCRAM-SHA-256=[password=admin-secret],SCRAM-SHA-512=[password=admin-secret]' --entity-type users --entity-name admin

Add SASL configuration items in the EMR console

Navigate to the Kafka configuration page

Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.
On the EMR on ECS page, find your cluster and click Services in the Actions column.
On the Services tab, find the Kafka service and click Configure.

Add SASL mechanism settings

On the server.properties tab:

Click Add Configuration Item.
In the Add Configuration Item dialog box, add the following configuration items and click OK.
Configuration item Value
sasl.mechanism.inter.broker.protocol SCRAM-SHA-512
sasl.enabled.mechanisms SCRAM-SHA-512
In the dialog box that appears, specify the Execution Reason and click Save.

Configuration item	Value
sasl.mechanism.inter.broker.protocol	SCRAM-SHA-512
sasl.enabled.mechanisms	SCRAM-SHA-512

Set the listener to custom mode

On the server.properties tab:

Change the value of the kafka.sasl.config.type configuration item to CUSTOM and click Save.
In the dialog box that appears, specify the Execution Reason and click Save.

Configure JAAS for the Kafka broker

Choose one of the following methods to configure Java Authentication and Authorization Service (JAAS) for the Kafka broker.

Method 1: Use custom configuration items

On the server.properties tab of the Kafka Configure page:

Click Add Configuration Item, add the following configuration items, and then click OK.

Configuration item	Value
listener.name.sasl_plaintext.sasl.enabled.mechanisms	SCRAM-SHA-512
listener.name.sasl_plaintext.scram-sha-512.sasl.jaas.config	org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret" ;

In the dialog box that appears, specify the Execution Reason and click Save.

Method 2: Use a configuration file

On the Kafka Configure page, modify the following configuration items and click Save.

Tab	Configuration item	Value
kafka_server_jaas.conf	kafka.server.jaas.content	`KafkaServer { org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret"; };`
server.properties	kafka_opts	-Djava.security.auth.login.config=/etc/taihao-apps/kafka-conf/kafka-conf/kafka_server_jaas.conf

The kafka.server.jaas.content value in full:

KafkaServer {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="admin"
password="admin-secret";
};

In the dialog box that appears, specify the Execution Reason and click Save.

Configure JAAS for the Kafka client

Configure the kafka.client.jaas.content configuration item in the kafka_client_jaas.conf configuration file. This configuration is used to start Kafka Schema Registry and Kafka REST Proxy.

On the Kafka Configure page, modify the following configuration items and click Save.

Tab	Configuration item	Value
kafka_client_jaas.conf	kafka.client.jaas.content	`KafkaClient { org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret"; };`
schema-registry.properties	schema_registry_opts	-Djava.security.auth.login.config=/etc/taihao-apps/kafka-conf/kafka-conf/kafka_client_jaas.conf
kafka-rest.properties	kafkarest_opts	-Djava.security.auth.login.config=/etc/taihao-apps/kafka-conf/kafka-conf/kafka_client_jaas.conf

The kafka.client.jaas.content value in full:

KafkaClient {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="admin"
password="admin-secret";
};

In the dialog box that appears, specify the Execution Reason and click Save.

Restart the Kafka service

After you complete the SASL configuration, restart the Kafka service for the changes to take effect.

On the Configure tab of the Kafka service page, choose More > Restart in the upper-right corner.
In the dialog box that appears, specify the Execution Reason and click OK.
In the Confirm message, click OK.

Verify SASL authentication

After the Kafka service restarts, authenticate to the Kafka cluster with the SCRAM-SHA-512 mechanism. The following examples use the built-in Producer and Consumer programs.

Create an administrator configuration file

Log on to the master node of your EMR cluster in SSH mode. For more information, see Log on to a cluster.
Run the following command to create the sasl_admin.properties file:
```
   vim sasl_admin.properties
```

Add the following content to the file:

   security.protocol=SASL_PLAINTEXT
   sasl.mechanism=SCRAM-SHA-512
   sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="admin-secret";

Create a regular user

Run the following command to create a regular user:

kafka-configs.sh --bootstrap-server core-1-1:9092 --alter --add-config 'SCRAM-SHA-256=[password=<yourUserpassword>],SCRAM-SHA-512=[password=<yourUserpassword>]' --entity-type users --entity-name <yourUsername> --command-config /root/sasl_admin.properties

Replace <yourUsername> and <yourUserpassword> with the username and password that you want to assign to the regular user.

Create a user configuration file

Run the following command to create the sasl_user.properties file:
```
   vim sasl_user.properties
```

Add the following content to the file:

   security.protocol=SASL_PLAINTEXT
   sasl.mechanism=SCRAM-SHA-512
   sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="<yourUsername>" password="<yourUserpassword>";

Create a topic

Run the following command to create a topic:

kafka-topics.sh --partitions 10 --replication-factor 2 --bootstrap-server core-1-1:9092 --topic test --create --command-config /root/sasl_user.properties

test is the name of the topic. Specify a topic name based on your business requirements.

Produce data

Run the following command to produce data to the topic:

kafka-producer-perf-test.sh --topic test --num-records 123456 --throughput 10000 --record-size 1024 --producer-props bootstrap.servers=core-1-1:9092 --producer.config sasl_user.properties

Consume data

Run the following command to consume data from the topic:

kafka-consumer-perf-test.sh --broker-list core-1-1:9092 --messages 100000000 --topic test --consumer.config sasl_user.properties

References

For information about how to establish an encrypted data transmission channel between a client and a server, see Use SSL to encrypt Kafka data.