Manage Authentication

This topic describes post-deployment tasks for managing authentication in Confluent Platform.

Update Kafka SASL/PLAIN users

For jaasConfig

To add users to the authenticated users list, you need to update the list in the text file and update the secret.

  1. In a text file, named creds-kafka-sasl-users.json, add the following content:

    {
    "kafka_client": "kafka_client-secret",
    "c3": "c3-secret",
    "kafka": "kafka-secret",
    "new_user": "password"
    }
    
  2. Update the Kubernetes secret.

    In the following command, you generate the YAML for the secret and apply it as an update to the existing secret, credential.

    For --from-file, you must use the plain-users.json key, as --from-file=plain-users.json.

    kubectl create secret generic credential \
      --from-file=plain-users.json=creds-kafka-sasl-users.json \
      --save-config --dry-run=client -oyaml | \
      kubectl apply -f -
    

You do not need to restart the Kafka brokers. The updated users list is picked up by the services.

For jaasConfigPassThrough

To add users to the authenticated users list, you need to update the config file in the secret and perform a rolling update of Kafka.

  1. In plain-jaas.conf, add the new user and its password.

    For example:

    sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
       username="admin" \
       password="admin-secret" \
       user_admin="admin-secret" \
       user_alice="alice-secret" \
       user_newuser="password";
    
  2. Update the secret with the new file contents as described in the section above.

  3. Roll the Kafka cluster.