.. _kafka_sasl_auth_plain:

Configuring PLAIN
-----------------

SASL/PLAIN Overview
~~~~~~~~~~~~~~~~~~~

PLAIN, or SASL/PLAIN, is a simple username/password authentication mechanism that 
is typically used with TLS for encryption to implement secure authentication.  
|ak-tm| supports a :ref:`default implementation for SASL/PLAIN, which can be 
extended for production use <security_tutorial>`.

The username is used as the authenticated ``principal``, which is used in 
authorization (such as ACLs).

.. note::
   **`PLAIN` versus `PLAINTEXT`**
   Do not confuse the SASL mechanism `PLAIN` with no SSL encryption being called 
   `PLAINTEXT`. Configuration parameters such as ``sasl.enabled.mechanisms`` or 
   ``sasl.mechanism.inter.broker.protocol`` may be configured to use SASL 
   mechanism `PLAIN`, whereas ``security.inter.broker.protocol`` or ``listeners`` 
   may be configured for no SSL encryption `SASL_PLAINTEXT`.

SASL/PLAIN should only be used with SSL as transport layer to ensure that clear 
passwords are not transmitted on the wire without encryption. 

The default implementation of SASL/PLAIN in |ak| specifies usernames and passwords 
in the JAAS configuration file. You can avoid storing clear passwords on disk by 
configuring your own callback handlers that obtain username and password
from an external source using the configuration options ``sasl.server.callback.handler.class`` 
and ``sasl.client.callback.handler.class``.

In production systems, external authentication servers may implement password 
authentication. You can plug in your own callback handlers that use external 
authentication servers for password verification by configuring ``sasl.server.callback.handler.class``.

The remainder of this page shows you how to configure SASL/PLAIN for each component 
in |cp|.

.. _sasl_plain_broker:

Brokers
~~~~~~~

.. include:: ../includes/intro_brokers.rst

* :ref:`Confluent Metrics Reporter <sasl_plain_metrics-reporter>`

JAAS
^^^^

.. _sasl-plain-broker-jaas:

.. include:: ../includes/auth_sasl_plain_broker_jaas.rst

.. _auth-sasl-plain-broker-config:

Configuration
^^^^^^^^^^^^^
.. include:: ../includes/auth_sasl_plain_broker_config.rst

.. _sasl-plain-broker-run:

Run
^^^
.. include:: ../includes/auth_sasl_plain_broker_run.rst

.. _sasl_plain_clients:

Clients
~~~~~~~

.. include:: ../includes/intro_clients.rst

.. include:: ../includes/auth_sasl_plain_client_config.rst

|zk|
~~~~

|zk| does not support SASL/PLAIN authentication, but it does support another mechanism SASL/DIGEST-MD5.

.. include:: ../includes/intro_zk.rst

.. _sasl_plain_connect-workers:

|kconnect-long|
~~~~~~~~~~~~~~~

.. include:: ../includes/intro_connect.rst

* :ref:`Confluent Monitoring Interceptors <sasl_plain_interceptors>`
* :ref:`Confluent Metrics Reporter <sasl_plain_metrics-reporter>`

.. include:: ../includes/auth_sasl_plain_connect-workers_config.rst

.. _sasl_plain_replicator:

|crep-full|
~~~~~~~~~~~

.. include:: ../includes/intro_replicator.rst

* :ref:`Kafka Connect <sasl_plain_connect-workers>`

.. include:: ../includes/auth_sasl_plain_replicator_config.rst

|c3|
~~~~

.. include:: ../includes/intro_c3.rst

* :ref:`Confluent Metrics Reporter <sasl_plain_metrics-reporter>`: required on the production cluster being monitored
* :ref:`Confluent Monitoring Interceptors <sasl_plain_interceptors>`: optional if you are using Control Center streams monitoring

.. include:: ../includes/auth_sasl_plain_c3_config.rst

.. _sasl_plain_metrics-reporter:

|cmetric-full|
~~~~~~~~~~~~~~

This section describes how to enable SASL/PLAIN for |cmetric-full|, which is used for |c3| and Auto Data Balancer.

.. include:: ../includes/auth_sasl_plain_metrics-reporter_config.rst

.. _sasl_plain_interceptors:

Confluent Monitoring Interceptors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. include:: ../includes/intro_interceptors.rst

Interceptors for General Clients
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. include:: ../includes/auth_sasl_plain_interceptors_config.rst

Interceptors for |kconnect-long|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. include:: ../includes/auth_sasl_plain_interceptors-connect-workers_config.rst

Interceptors for Replicator
^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. include:: ../includes/auth_sasl_plain_interceptors-replicator_config.rst

.. _auth-sasl-plain-schema-registry:

|sr|
~~~~

.. include:: ../includes/intro_sr.rst

.. include:: ../includes/auth_sasl_plain_sr_config.rst

REST Proxy
~~~~~~~~~~

To secure Confluent REST Proxy for SASL you must configure security 
between the REST proxy and the |ak| cluster.

For a complete list of all configuration options, refer to :ref:`sasl-auth-rest-kafka-broker`.

.. include:: ../includes/auth_sasl_plain_rest_config.rst