Kafka SASL Authentication

Core support for Simple Authentication and Security Layer (SASL) was added to Apache Kafka in the 0.10.2 release. This allows for simple username/password authentication to Kafka using SASL. We are excited to add this authentication mechanism to the Eventador service. Here is how it works.


Kafka SASL SCRAM support started life as KIP-84 and grew into KAFKA-3751, ultimately making it into 0.10.2. Recently, we released Kafka 1.0.0 onto our platform then followed up by adding support for SASL/SCRAM. While KAFKA 3751 made it possible to use this authentication mechanism, it’s still a hassle and confusing at best. In releasing this feature to our console, we wanted to make using a simple username and password to authenticate to Kafka simple, yet keep all the power and security.

SASL on Eventador

SASL is a key component of the security configuration of your Kafka deployment. At Eventador, we previously enabled you to white-list consumers and producers via our deployment scoped ACL controls and encrypt communications via SSL.

Now we have added the last piece to the picture – the capability to use SASL/SCRAM for authentication to Eventador Kafka deployments. Eventador handles creating the CA certificate, and all user account management (CRUD operations). This saves you the hassle of configuring and managing users via the default kafka scripts.

Creating and managing users

Creating users is simple. Log into the Eventador Console, and select the Kafka deployment you want to add users to, then select the ‘SASL users’ tab. Add users by clicking on the ‘add user’ button. You can add/remove as you need to. Also there is the ability to change/reset passwords.

An end-to-end SASL example

It should be noted that this point many drivers support SASL with various levels of maturity, so you may want to check compatibility before you dive in too deep – YMMV. In our example we are going to use Scala.

First let’s setup an environment, and create our keyfile. We will be pasting the key from the Eventador Console into the keyfile. To grab your key, navigate to your deployment here, then select configure for the deployment you want to produce to, then the tab labelled ‘SASL Users’. Substitute <paste cert here> with the text from the box labelled ‘Deployment CA Certificate’.

In this case we will use Scala. In the same docker container start Scala:

Now you should be producing messages, you can monitor the activity in your dashboard or use kafkacat to pop off a few messages. Here are the docs for client configs. As always if you have any questions or are having problems with this example hit support or slack.

Leave a Reply

Your email address will not be published. Required fields are marked *