.. _kafka_sasl_auth_scram:

Configuring SCRAM
---------------------------------

SASL/SCRAM Overview
~~~~~~~~~~~~~~~~~~~~~~~~

Salted Challenge Response Authentication Mechanism (SCRAM), or SASL/SCRAM, is a family of SASL mechanisms that addresses the security concerns with traditional mechanisms that perform username/password authentication like PLAIN. |ak-tm| supports ``SCRAM-SHA-256`` and ``SCRAM-SHA-512``. All examples below use ``SCRAM-SHA-256``, but you can substitute the configuration for ``SCRAM-SHA-512`` as needed.

The SCRAM implementation in |ak| stores SCRAM credentials in |zk| and is suitable for use in |ak| installations where |zk| is on a private network. Because of this, you must create SCRAM credentials for users in |zk|.

.. codewithvars:: bash

    bin/kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-256=[iterations=8192,password=alice-secret],SCRAM-SHA-512=[password=alice-secret]' --entity-type users --entity-name alice

    bin/kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-256=[password=admin-secret],SCRAM-SHA-512=[password=admin-secret]' --entity-type users --entity-name admin

The default iteration count of 4096 is used if iterations are not specified. A random salt is created and the SCRAM identity consisting of salt, iterations, StoredKey and ServerKey are stored in |zk|. See `RFC 5802 <https://tools.ietf.org/html/rfc5802>`__ for details on SCRAM identity and the individual fields.

Security Considerations for SASL/SCRAM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- The default implementation of SASL/SCRAM in |ak| stores SCRAM credentials in |zk|. This
  is suitable for production use in installations where |zk| is secure and on a private network.
- |ak| only supports the strong hash functions SHA-256 and SHA-512 with a minimum iteration count
  of 4096. Strong hash functions combined with strong passwords and high iteration counts protect
  against brute force attacks if |zk| security is compromised.
- SCRAM should be used only with TLS-encryption to prevent interception of SCRAM exchanges. This
  protects against dictionary or brute force attacks and against impersonation if |zk| is compromised.
- The default SASL/SCRAM credential store may be overridden using custom callback handlers
  by configuring ``sasl.server.callback.handler.class`` in installations where |zk| is not secure.
- For more details on security considerations, refer to `RFC 5802 <https://tools.ietf.org/html/rfc5802#section-9>`__.

The remainder of this page will show you how to configure SASL/SCRAM for each component in the Confluent Platform.

.. _sasl_scram_broker:

Brokers
~~~~~~~~~~

.. include:: ../includes/intro_brokers.rst

* :ref:`Confluent Metrics Reporter <sasl_scram_metrics-reporter>`

JAAS
^^^^^^^^^
.. include:: ../includes/auth_sasl_scram_broker_jaas.rst

Configuration
^^^^^^^^^^^^^^^
.. include:: ../includes/auth_sasl_scram_broker_config.rst

Run
^^^^^^^^^
.. include:: ../includes/auth_sasl_scram_broker_run.rst


Clients
~~~~~~~~~~

.. include:: ../includes/intro_clients.rst

.. include:: ../includes/auth_sasl_scram_client_config.rst


|zk|
~~~~~~~~~~

|zk| does not support SASL/SCRAM authentication, but it does support another mechanism SASL/DIGEST-MD5.

.. include:: ../includes/intro_zk.rst


.. _sasl_scram_connect-workers:

|kconnect-long|
~~~~~~~~~~~~~~~~

.. include:: ../includes/intro_connect.rst

* :ref:`Confluent Monitoring Interceptors <sasl_scram_interceptors>`
* :ref:`Confluent Metrics Reporter <sasl_scram_metrics-reporter>`

.. include:: ../includes/auth_sasl_scram_connect-workers_config.rst



.. _sasl_scram_replicator:

|crep-full|
~~~~~~~~~~~~~~~~~~~~~~

.. include:: ../includes/intro_replicator.rst

* :ref:`Kafka Connect <sasl_scram_connect-workers>`

.. include:: ../includes/auth_sasl_scram_replicator_config.rst


|c3|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. include:: ../includes/intro_c3.rst

* :ref:`Confluent Metrics Reporter <sasl_scram_metrics-reporter>`: required on the production cluster being monitored
* :ref:`Confluent Monitoring Interceptors <sasl_scram_interceptors>`: optional if you are using Control Center streams monitoring

.. include:: ../includes/auth_sasl_scram_c3_config.rst



.. _sasl_scram_metrics-reporter:

|cmetric-full|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This section describes how to enable SASL/SCRAM for |cmetric-full|, which is used for |c3| and Auto Data Balancer.

.. include:: ../includes/auth_sasl_scram_metrics-reporter_config.rst


.. _sasl_scram_interceptors:

Confluent Monitoring Interceptors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. include:: ../includes/intro_interceptors.rst

Interceptors for General Clients
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. include:: ../includes/auth_sasl_scram_interceptors_config.rst

Interceptors for |kconnect-long|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. include:: ../includes/auth_sasl_scram_interceptors-connect-workers_config.rst

Interceptors for Replicator
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. include:: ../includes/auth_sasl_scram_interceptors-replicator_config.rst


|sr|
~~~~

.. include:: ../includes/intro_sr.rst

.. include:: ../includes/auth_sasl_scram_sr_config.rst


REST Proxy
~~~~~~~~~~~

Securing Confluent REST Proxy for SASL requires that you configure security between the REST proxy and the |ak| cluster.

You may also refer to the complete list of `REST Proxy SASL configuration options <https://docs.confluent.io/current/kafka-rest/docs/config.html#configuration-options-for-sasl-authentication-between-rest-proxy-and-apache-kafka-brokers>`__.

.. include:: ../includes/auth_sasl_scram_rest_config.rst