Manage Authentication

This topic describes post-deployment tasks for managing authentication in Confluent Platform.

Update Kafka SASL/PLAIN users

To update the SASL/PLAIN user credentials for Kafka, follow the steps described below based on the method you use to provide required credentials, namely jaasConfig or jaasConfigPassThrough.

Update server-side SASL/PLAIN users

For jaasConfig

To add users to the authenticated users list, you need to update the list in the text file and update the secret.

  1. In a text file, named creds-kafka-sasl-users.json, add the following content:

    {
    "kafka_client": "kafka_client-secret",
    "c3": "c3-secret",
    "kafka": "kafka-secret",
    "new_user": "password"
    }
    
  2. Update the Kubernetes secret.

    In the following command, you generate the YAML for the secret and apply it as an update to the existing secret, credential.

    For --from-file, you must use the plain-users.json key, as --from-file=plain-users.json.

    kubectl create secret generic credential \
      --from-file=plain-users.json=creds-kafka-sasl-users.json \
      --save-config --dry-run=client -oyaml | \
      kubectl apply -f -
    

You do not need to restart the Kafka brokers. The updated users list is picked up by the services.

For jaasConfigPassThrough

To add users to the authenticated users list, you need to update the config file in the secret and perform a rolling update of Kafka.

  1. In plain-jaas.conf, add the new user and its password.

    For example:

    sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
       username="admin" \
       password="admin-secret" \
       user_admin="admin-secret" \
       user_alice="alice-secret" \
       user_newuser="password";
    
  2. Update the secret with the new file contents as described in the section above.

  3. Roll the Kafka cluster.

Update client-side SASL/PLAIN users using JAAS config

To update the user credentials, update the credentials in the text file and update the secret:

  1. In a text file, named creds-kafka-sasl-users.txt, update the following content:

    username=<username>
    password=<password>
    
  2. Update the Kubernetes secret.

    In the following command, you generate the YAML for the secret and apply it as an update to the existing secret, credential.

    For --from-file, you must use the plain.txt key, as --from-file=plain.txt.

    kubectl create secret generic credential \
      --from-file=plain.txt=creds-kafka-sasl-users.txt \
      --save-config --dry-run=client -oyaml | \
      kubectl apply -f -
    
  3. Restart the Confluent Platform components that depends on the plain.txt key so that the updated user is picked up by the services.