JAAS configuration for Kafka clients

Clients may configure JAAS using the client configuration property sasl.jaas.config or using the static JAAS config file similar to brokers.JAAS configuration using client configuration property

1. 1. 1. Clients may specify JAAS configuration as a producer or consumer property without creating a physical configuration file. This mode also enables different producers and consumers within the same JVM to use different credentials by specifying different properties for each client. If both static JAAS configuration system property java.security.auth.login.config and client property sasl.jaas.config are specified, the client property will be used.

         See GSSAPI (Kerberos), PLAIN, SCRAM or OAUTHBEARER for example configurations.

      2. JAAS configuration using static config file

         To configure SASL authentication on the clients using static JAAS config file:
         1. Add a JAAS config file with a client login section named KafkaClient. Configure a login module in KafkaClient for the selected mechanism as described in the examples for setting up GSSAPI (Kerberos), PLAIN, SCRAM or OAUTHBEARER. For example, GSSAPI credentials may be configured as:

            1 2 3 4 5 6 7

            KafkaClient {     com.sun.security.auth.module.Krb5LoginModule required     useKeyTab=true     storeKey=true     keyTab="/etc/security/keytabs/kafka_client.keytab"     principal="kafka-client-1@EXAMPLE.COM"; };

         2. Pass the JAAS config file location as JVM parameter to each client JVM. For example:

            1	-Djava.security.auth.login.config=/etc/kafka/kafka_client_jaas.conf