Manage Authentication¶
This topic describes post-deployment tasks for managing authentication in Confluent Platform.
Update Kafka SASL/PLAIN users¶
To update the SASL/PLAIN user credentials for Kafka, follow the steps described
below based on the method you use to provide required credentials, namely
jaasConfig
or jaasConfigPassThrough
.
Update server-side SASL/PLAIN users¶
For jaasConfig¶
To add users to the authenticated users list, you need to update the list in the text file and update the secret.
In a text file, named
creds-kafka-sasl-users.json
, add the following content:{ "kafka_client": "kafka_client-secret", "c3": "c3-secret", "kafka": "kafka-secret", "new_user": "password" }
Update the Kubernetes secret.
In the following command, you generate the YAML for the secret and apply it as an update to the existing secret,
credential
.For
--from-file
, you must use theplain-users.json
key, as--from-file=plain-users.json
.kubectl create secret generic credential \ --from-file=plain-users.json=creds-kafka-sasl-users.json \ --save-config --dry-run=client -oyaml | \ kubectl apply -f -
You do not need to restart the Kafka brokers. The updated users list is picked up by the services.
For jaasConfigPassThrough¶
To add users to the authenticated users list, you need to update the config file in the secret and perform a rolling update of Kafka.
In
plain-jaas.conf
, add the new user and its password.For example:
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ username="admin" \ password="admin-secret" \ user_admin="admin-secret" \ user_alice="alice-secret" \ user_newuser="password";
Update the secret with the new file contents as described in the section above.
Roll the Kafka cluster.
Update client-side SASL/PLAIN users using JAAS config¶
To update the user credentials, update the credentials in the text file and update the secret:
In a text file, named
creds-kafka-sasl-users.txt
, update the following content:username=<username> password=<password>
Update the Kubernetes secret.
In the following command, you generate the YAML for the secret and apply it as an update to the existing secret,
credential
.For
--from-file
, you must use theplain.txt
key, as--from-file=plain.txt
.kubectl create secret generic credential \ --from-file=plain.txt=creds-kafka-sasl-users.txt \ --save-config --dry-run=client -oyaml | \ kubectl apply -f -
Restart the Confluent Platform components that depends on the
plain.txt
key so that the updated user is picked up by the services.