...
- Name:
sasl.client.callback.handler.class
- Type:
CLASS
- Doc:A The fully qualified name of a Sasl client callback handler class that implements the
interface.org.apache.kafka.common.security.auth.
AuthenticateCallbackHandler - Default: null (by default, the appropriate internal default callback handlers for the mechanism will be used)
...
- Name:
sasl.server.callback.handler.class.map
- Type:
STRING
- Doc: A map between Sasl mechanisms and Sasl The fully qualified name of a SASL server callback handler classes class that implement implements the
AuthenticateCallbackHandler
interface. Key and value are separated by a colon and map entries are separated by commas. For example, PLAIN:The config must be prefixed by the mechanism name in lower case. If multiple listeners are enabled, the config may be prefixed with the listener prefix. For example,listener.name.sasl_ssl.plain.sasl.server.callback.handler.class
=com.example.CustomPlainCallbackHandler ,SCRAMorscram-
SHAsha-256
:.sasl.server.callback.handler.class
=com.example.CustomScramCallbackHandler. - Default: null (by default, the appropriate internal default callback handlers for each mechanism will be used)
Login class (for clients and brokers)
and brokers)
- Name:
sasl.login.class
- Type:
CLASS
- Doc: A class that implements the
org.apache.kafka.common.security.auth.Login
interface. For brokers, the config name must be prefixed by the mechanism name in lower case and may also be prefixed with listener name. For example,listener.name.sasl_ssl.plain.sasl.login.class
=com.example.PlainServerLogin orscram-sha-256.sasl.login.class
=com.example.ScramServerLogin for brokers andsasl.login.class
=com.example.KerberosClientLogin for clients - Name:
sasl.login.class
- Type:
CLASS
- Doc: A class that implements the
org.apache.kafka.common.security.auth.Login
interface. - Default: null (by default, the internal class
KerberosLogin
will be used if Kerberos is enabled on the listener andDefaultLogin
otherwise)
...
Define a new class that implements AuthenticateCallbackHandler
which handles NameCallback
and PlainAuthenticateCallback
and add the class to the broker's sasl.server.callback.handler.class.map
property. A single instance of this callback handler will be created for the broker. The configured callback handler is responsible for validating the password provided by clients and this may use an external authentication server.
...
If a custom SaslServer implementation is used instead of the one included in Kafka, the custom implementation may require a different set of callbacks. A callback handler for these callbacks may be specified in sasl.server.callback.handler.class.map
.
Configure a new mechanism not included in Kafka using custom SaslServer/SaslClient
A handler that handles any callbacks required for these server/client implementations may be specified in sasl.server.callback.handler.class .map
and
for brokers and clients respectively.sasl.client.callback.handler.class
...
KIP-103 introduced support for multiple listeners in the broker for the same security protocol. This allows brokers to configure different SASL mechanisms for internal and external traffic. The listener name prefix can be applied to sasl.server.callback.handler.class.map
to define different callback handlers for each of the listeners.
...