Clients may configure JAAS using the client configuration property sasl.jaas.config or using the static JAAS config file similar to brokers.JAAS configuration using client configuration property
-
Clients may specify JAAS configuration as a producer or consumer property without creating a physical configuration file. This mode also enables different producers and consumers within the same JVM to use different credentials by specifying different properties for each client. If both static JAAS configuration system property
java.security.auth.login.configand client propertysasl.jaas.configare specified, the client property will be used.See GSSAPI (Kerberos), PLAIN, SCRAM or OAUTHBEARER for example configurations.
-
JAAS configuration using static config file
To configure SASL authentication on the clients using static JAAS config file:- Add a JAAS config file with a client login section named KafkaClient. Configure a login module in KafkaClient for the selected mechanism as described in the examples for setting up GSSAPI (Kerberos), PLAIN, SCRAM or OAUTHBEARER. For example, GSSAPI credentials may be configured as:
1234567
KafkaClient {com.sun.security.auth.module.Krb5LoginModule requireduseKeyTab=truestoreKey=truekeyTab="/etc/security/keytabs/kafka_client.keytab"principal="kafka-client-1@EXAMPLE.COM";}; - Pass the JAAS config file location as JVM parameter to each client JVM. For example:
1
-Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf
- Add a JAAS config file with a client login section named KafkaClient. Configure a login module in KafkaClient for the selected mechanism as described in the examples for setting up GSSAPI (Kerberos), PLAIN, SCRAM or OAUTHBEARER. For example, GSSAPI credentials may be configured as:
-