.. _kafka_sasl_auth_plain: Configuring PLAIN ----------------- SASL/PLAIN Overview ~~~~~~~~~~~~~~~~~~~ PLAIN, or SASL/PLAIN, is a simple username/password authentication mechanism that is typically used with TLS for encryption to implement secure authentication. |ak-tm| supports a :ref:`default implementation for SASL/PLAIN, which can be extended for production use `. The username is used as the authenticated ``principal``, which is used in authorization (such as ACLs). .. note:: **PLAIN versus PLAINTEXT**: Do not confuse the SASL mechanism PLAIN with the no TLS encryption option, which is called PLAINTEXT. Configuration parameters such as ``sasl.enabled.mechanisms`` or ``sasl.mechanism.inter.broker.protocol`` may be configured to use the SASL mechanism PLAIN, whereas ``security.inter.broker.protocol`` or ``listeners`` may be configured to use the no TLS encryption option, SASL_PLAINTEXT. SASL/PLAIN should only be used with TLS as transport layer to ensure that clear passwords are not transmitted on the wire without encryption. The default implementation of SASL/PLAIN in |ak| specifies usernames and passwords in the JAAS configuration file. You can avoid storing clear passwords on disk by configuring your own callback handlers that obtain username and password from an external source using the configuration options ``sasl.server.callback.handler.class`` and ``sasl.client.callback.handler.class``. In production systems, external authentication servers may implement password authentication. You can plug in your own callback handlers that use external authentication servers for password verification by configuring ``sasl.server.callback.handler.class``. The remainder of this page shows you how to configure SASL/PLAIN for each component in |cp|. .. _sasl_plain_broker: Brokers ~~~~~~~ .. include:: ../includes/intro_brokers.rst * :ref:`Confluent Metrics Reporter ` JAAS ^^^^ .. _sasl-plain-broker-jaas: .. include:: ../includes/auth_sasl_plain_broker_jaas.rst .. _auth-sasl-plain-broker-config: Configuration ^^^^^^^^^^^^^ .. include:: ../includes/auth_sasl_plain_broker_config.rst .. _sasl-plain-broker-run: Run ^^^ .. include:: ../includes/auth_sasl_plain_broker_run.rst .. _sasl_plain_clients: Clients ~~~~~~~ .. important:: If you are configuring this for |sr| or |crest|, you must prefix each parameter with ``confluent.license``. For example, ``sasl.mechanism`` becomes ``confluent.license.sasl.mechanism``. For additional information, see :ref:`kafka-rest-and-sasl-ssl-configs`. .. include:: ../includes/intro_clients.rst .. include:: ../includes/auth_sasl_plain_client_config.rst .. _sasl_plain_zk: |zk| ~~~~ |zk| does not support SASL/PLAIN authentication, but it does support another mechanism SASL/DIGEST-MD5. .. include:: ../includes/intro_zk.rst .. _sasl_plain_connect-workers: |kconnect-long| ~~~~~~~~~~~~~~~ .. include:: ../includes/intro_connect.rst * :ref:`Confluent Monitoring Interceptors ` * :ref:`Confluent Metrics Reporter ` .. include:: ../includes/auth_sasl_plain_connect-workers_config.rst .. _sasl_plain_replicator: |crep-full| ~~~~~~~~~~~ .. include:: ../includes/intro_replicator.rst * :ref:`Kafka Connect ` .. include:: ../includes/auth_sasl_plain_replicator_config.rst |c3| ~~~~ .. include:: ../includes/intro_c3.rst * :ref:`Confluent Metrics Reporter `: required on the production cluster being monitored * :ref:`Confluent Monitoring Interceptors `: optional if you are using Control Center streams monitoring .. include:: ../includes/auth_sasl_plain_c3_config.rst .. _sasl_plain_metrics-reporter: |cmetric-full| ~~~~~~~~~~~~~~ This section describes how to enable SASL/PLAIN for |cmetric-full|, which is used for |c3| and Auto Data Balancer. .. include:: ../includes/auth_sasl_plain_metrics-reporter_config.rst .. _sasl_plain_interceptors: Confluent Monitoring Interceptors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. include:: ../includes/intro_interceptors.rst Interceptors for General Clients ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. include:: ../includes/auth_sasl_plain_interceptors_config.rst Interceptors for |kconnect-long| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. include:: ../includes/auth_sasl_plain_interceptors-connect-workers_config.rst Interceptors for Replicator ^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. include:: ../includes/auth_sasl_plain_interceptors-replicator_config.rst .. _auth-sasl-plain-schema-registry: |sr| ~~~~ .. include:: ../includes/intro_sr.rst .. include:: ../includes/auth_sasl_plain_sr_config.rst REST Proxy ~~~~~~~~~~ To secure Confluent REST Proxy for SASL you must configure security between the REST proxy and the |ak| cluster. For a complete list of all configuration options, refer to :ref:`kafka-rest-security-kafka-auth-sasl`. .. include:: ../includes/auth_sasl_plain_rest_config.rst