Manage Authentication¶
This topic describes post-deployment tasks for managing authentication in Confluent Platform.
Update Kafka SASL/PLAIN users¶
For jaasConfig¶
To add users to the authenticated users list, you need to update the list in the text file and update the secret.
In a text file, named
creds-kafka-sasl-users.json
, add the following content:{ "kafka_client": "kafka_client-secret", "c3": "c3-secret", "kafka": "kafka-secret", "new_user": "password" }
Update the Kubernetes secret.
In the following command, you generate the YAML for the secret and apply it as an update to the existing secret,
credential
.For
--from-file
, you must use theplain-users.json
key, as--from-file=plain-users.json
.kubectl create secret generic credential \ --from-file=plain-users.json=creds-kafka-sasl-users.json \ --save-config --dry-run=client -oyaml | \ kubectl apply -f -
You do not need to restart the Kafka brokers. The updated users list is picked up by the services.
For jaasConfigPassThrough¶
To add users to the authenticated users list, you need to update the config file in the secret and perform a rolling update of Kafka.
In
plain-jaas.conf
, add the new user and its password.For example:
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ username="admin" \ password="admin-secret" \ user_admin="admin-secret" \ user_alice="alice-secret" \ user_newuser="password";
Update the secret with the new file contents as described in the section above.
Roll the Kafka cluster.