I have worked on setting the authentication for Kafka clients in past. I have I have refered:
And other links as well.
As mentioned in docs we need to have jaas configuration file to specify the authentication method, I had one like below:
KafkaClient {
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
LoginStringClaim_sub="admin";
};
Which basically adds the OAuth authentication for kafka clients.
The question is - can I have multiple authentication methods enabled on kafka broker
I mean can I enable both OAuthBearer and PLAIN authentication on Kafka, and let the client authenticate by any one of these methods.
OK, I found how we can do it.
Multiple SASL mechanisms can be enabled on the broker simultaneously while each client has to choose one mechanism.
In JAAS config file, we have to specify the configuration for the multiple login modules as below:
KafkaServer {
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
LoginStringClaim_sub="admin";
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_alice="alice-secret";
};
Then we have to enable the SASL mechanisms in server.properties:
# List of enabled mechanisms, can be more than one
sasl.enabled.mechanisms=OAUTHBEARER,PLAIN
And Then Specify the SASL security protocol and mechanism for inter-broker communication in server.properties
# Configure SASL_SSL if SSL encryption is enabled, otherwise configure SASL_PLAINTEXT
security.inter.broker.protocol=SASL_SSL
# Configure the appropriate inter-broker protocol
sasl.mechanism.inter.broker.protocol=PLAIN
Credit to - https://docs.confluent.io/current/kafka/authentication_sasl/index.html#enabling-multiple-sasl-mechanisms