.. _kafka_sasl_auth_scram: Configuring SCRAM --------------------------------- **Table of Contents** .. contents:: :local: :depth: 1 SASL/SCRAM Overview ~~~~~~~~~~~~~~~~~~~~~~~~ Salted Challenge Response Authentication Mechanism (SCRAM), or SASL/SCRAM, is a family of SASL mechanisms that addresses the security concerns with traditional mechanisms that perform username/password authentication like PLAIN. Kafka supports ``SCRAM-SHA-256`` and ``SCRAM-SHA-512``. All examples below use ``SCRAM-SHA-256``, but you can substitute the configuration for ``SCRAM-SHA-512`` as needed. The SCRAM implementation in Kafka stores SCRAM credentials in ZooKeeper and is suitable for use in Kafka installations where Zookeeper is on a private network. Because of this, you must create SCRAM credentials for users in ZooKeeper. .. sourcecode:: bash bin/kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-256=[iterations=8192,password=alice-secret],SCRAM-SHA-512=[password=alice-secret]' --entity-type users --entity-name alice bin/kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-256=[password=admin-secret],SCRAM-SHA-512=[password=admin-secret]' --entity-type users --entity-name admin The default iteration count of 4096 is used if iterations are not specified. A random salt is created and the SCRAM identity consisting of salt, iterations, StoredKey and ServerKey are stored in Zookeeper. See `RFC 5802 `_ for details on SCRAM identity and the individual fields. The remainder of this page will show you how to configure SASL/SCRAM for each component in the Confluent Platform. .. _sasl_scram_broker: Brokers ~~~~~~~~~~ .. include:: includes/intro_brokers.rst * :ref:`Confluent Metrics Reporter ` JAAS ^^^^^^^^^ .. include:: includes/auth_sasl_scram_broker_jaas.rst Configuration ^^^^^^^^^^^^^^^ .. include:: includes/auth_sasl_scram_broker_config.rst Run ^^^^^^^^^ .. include:: includes/auth_sasl_scram_broker_run.rst Clients ~~~~~~~~~~ .. include:: includes/intro_clients.rst .. include:: includes/auth_sasl_scram_client_config.rst ZooKeeper ~~~~~~~~~~ ZooKeeper does not support SASL/SCRAM authentication, but it does support another mechanism SASL/DIGEST-MD5. .. include:: includes/intro_zk.rst .. _sasl_scram_connect-workers: Kafka Connect ~~~~~~~~~~~~~~~~ .. include:: includes/intro_connect.rst * :ref:`Confluent Monitoring Interceptors ` * :ref:`Confluent Metrics Reporter ` .. include:: includes/auth_sasl_scram_connect-workers_config.rst .. _sasl_scram_replicator: Confluent Replicator ~~~~~~~~~~~~~~~~~~~~~~ .. include:: includes/intro_replicator.rst * :ref:`Kafka Connect ` .. include:: includes/auth_sasl_scram_replicator_config.rst Confluent Control Center ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. include:: includes/intro_c3.rst * :ref:`Confluent Metrics Reporter `: required on the production cluster being monitored * :ref:`Confluent Monitoring Interceptors `: optional if you are using Control Center streams monitoring .. include:: includes/auth_sasl_scram_c3_config.rst .. _sasl_scram_metrics-reporter: Confluent Metrics Reporter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This section describes how to enable SASL/SCRAM for Confluent Metrics Reporter, which is used for Confluent Control Center and Auto Data Balancer. .. include:: includes/auth_sasl_scram_metrics-reporter_config.rst .. _sasl_scram_interceptors: Confluent Monitoring Interceptors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. include:: includes/intro_interceptors.rst Interceptors for General Clients ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. include:: includes/auth_sasl_scram_interceptors_config.rst Interceptors for Kafka Connect ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. include:: includes/auth_sasl_scram_interceptors-connect-workers_config.rst Interceptors for Replicator ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. include:: includes/auth_sasl_scram_interceptors-replicator_config.rst Schema Registry ~~~~~~~~~~~~~~~~ .. include:: includes/intro_sr.rst .. include:: includes/auth_sasl_scram_sr_config.rst REST Proxy ~~~~~~~~~~~ Securing Confluent REST Proxy for SASL requires that you configure security between the REST proxy and the Kafka cluster. You may also refer to the complete list of `REST Proxy SASL configuration options `_. .. include:: includes/auth_sasl_scram_rest_config.rst