MDS File-Based Authentication for Confluent Platform

This page explains how to configure the Metadata Service (MDS) in Confluent Platform to use file-based authentication.

Configuration Properties

To configure MDS for file-based authentication:

  1. Set the following properties:

    confluent.metadata.server.user.store

    Set this property to FILE to enable file-based user storage.

    confluent.metadata.server.user.store.file.path

    Specify the absolute path to the file that will store the user credentials.

    For example:

    confluent.metadata.server.user.store=FILE
confluent.metadata.server.user.store.file.path=<FILE-path>

  2. Confirm that the MDS process has read permissions for the FILE-path.

  3. Restart the MDS server for your changes to take effect.

Configure user credentials

The user FILE contains usernames and passwords. You can configure the file with basic plaintext passwords or with hashed passwords for stronger security. For production environments, you should use hashed passwords (preferably salted hashes) instead of plaintext passwords for improved security.

Basic plaintext configuration

For basic configurations, provide usernames and passwords in plaintext within the file. Add each entry on a new line in the format username:password, for example:

admin:admin-secret
alice:alice-secret
bob:bob-secret

Hash configuration

Important

This configuration applies to Confluent Platform versions 7.7.4, 7.8.3, 7.9.2, 8.0.0, and later.

You can maintain password hashes in the FILE using one of these MDS-supported hash algorithms:

  • CRYPT
  • MD5
  • SHA256
  • SHA384
  • SHA512

The format for hashed passwords is username:ALGORITHM:hash_value.

# SHA256 hashed passwords
admin:SHA256:d104909435cef2bd7567b281a7e95fd716cca56462208923a3020e2df7166c8a
user1:SHA256:39ea7b02d4cc77ca8f956e4650a3e116ab5200209d2cba813e1c14b32416dab9

# SHA512 hashed passwords
poweruser:SHA512:392241b7cd760920cc0cd81410cb818c18a174b8f76e07df10373f5a338f4035fc951e0269494e722438f040d79ef9dba8397bf88b1f80999f92792e2015b67

# Mixed format file (plaintext + hashed)
testuser:plaintext_password
hashuser:SHA256:6fa2288c361becce3e30ba4c41be7d8ba01e3580566f7acc76a7f99994474c46

Salted hashes ensure unique hash values, even for identical passwords. This makes brute-force attacks more difficult. The format for salted hashes is username:ALGORITHM:$salt$hash_value.

user1:SHA256:$salt-1$8f6ed82844bdc9b1d16907cf109affeb089e81440a771ac0622b963cf0b82a10
user2:SHA256:$salt-2$7136d0f6d3c229ab0a89185a9d1ca3bfa1b7b8538c9fdfb8cdfa4a587d7eee7e

Generating hashed passwords

This section outlines the process for generating basic and salted hashes.

Simple hash generation

To generate a basic hash for a password:

  1. Choose your hashing algorithm (SHA256, SHA384, or SHA512).

  2. Hash your password using the selected algorithm.

  3. Format the entry as:

    username:ALGORITHM:hash_value

Salted hash generation

For enhanced security with salted hash you would do the following:

  1. Choose a unique salt value for each user.

    Original password: mypassword

    User Salt: user-specific-salt

  2. Hash your original password with the chosen algorithm, for example:

    hash1 = SHA256("mypassword")

  3. Concatenate the hash result from the last step with the salt value:

    combined = hash1 + "user-specific-salt"

  4. Hash the concatenated string again with the same algorithm:

    final_hash = SHA256(combined)

  5. Format as:

    username:ALGORITHM:$salt$final_hash

Adding custom metadata (optional)

You can append additional, colon-separated metadata to your credentials after the hash values.

username:ALGORITHM:hash_value:metadata1:metadata2

This additional metadata is intended for your organization to use and is completely ignored by Confluent Platform.