...
SASL in Kafka is configured using the standard JAAS configuration. SASL configuration consists of:
LoginContext
that specifies the login module class and properties for the login module, specified using JAAS configuration- SASL mechanism and other properties specific to the mechanism configured as Kafka client or server properties. Additional properties and selection policies handled by the SASL implementation may also be specified when the client
SaslClient
or serverSaslServer
is constructed. - Additional input required by the SASL implementation obtained using CallbackHandlers
CallbackHandlers
- SASL server
SaslServer
or SASL clientSaslClient
implementation for the configured mechanism. These are installed as security providers in the JVM
All the four types of configuration above need to be configured consistently for SASL authentication to operate correctly. 1) and 4) are JVM configuration options. 2) and 3) are currently hard-coded in Kafka. The proposed changes enable flexible configuration for 2) and 3) to enable any SASL implementation mechanism to be supported in Kafka clients and servers.
...
Kafka server and client will have a new configuration option sasl.callback.handler.class
to provide a callback handler class. Default callbacks are included in Kafka for the mechanisms which have an implementation in Kafka (GSSAPI and PLAIN). Default client callback handler obtains authentication id and password from the public and private credentials of the Subject
respectively as String values. Configurable callbacks will enable other mechanisms to be used with Kafka without any changes to Kafka code.
...
The current implementation does not specify any properties when the SaslClient
or SaslServer
is constructed. To make the Kafka implementation flexible with pluggable mechanisms, all properties specified for Kafka client/server will be passed to the SaslClient/SaslServer
. These include all properties specified by the user including properties not defined in Kafka, so that additional properties can be added without changes to Kafka.
...
SASL/PLAIN is a simple username/password authentication mechanism that is typically used with TLS for encryption to implement secure authentication. Unlike Kerberos, PLAIN does not require complex authentication infrastructure. Adding a default implementation for PLAIN in Kafka enables a simpler authentication mechanism for organizations which do not already use Kerberos. SASL/PLAIN protocol and its uses are described in RFC 4616 https://tools.ietf.org/html/rfc4616..
The PR in KAFKA-2658 will be rebased on the extensible interface from this KIP for this implementation.
...