Skip to content

SASL

Bufstream supports several SASL authentication mechanisms for Kafka clients:

PLAIN

SASL/PLAIN is a simple username/password authentication mechanism. To enable it, add the following to your Helm values file:

kafka:
    sasl:
        plain:
            # Kubernetes secrets containing `username` and `password` as secret keys.
            # See https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret
            credentialsSecrets: []

ANONYMOUS

As the name suggests, SASL/ANONYMOUS is used to authenticate as any anonymous principal. This doesn't provide any security layer and is not recommended.

kafka:
    sasl:
        anonymous: true

SCRAM

To authenticate with SASL/SCRAM, you need to configure a SCRAM admin user, which then has permission to create other SCRAM users.

Configuration

The SCRAM admin's credentials consist of a username, hash function, and a password in either plain text or the salted form, along with the salt and iteration used for salting.

To configure the SCRAM admin with a password in plain text:

  1. Create a Kubernetes secret with keys username and plaintext.
  2. Populate the config below add it to kafka.authentication.sasl in your helm values.
scram:
  adminCredentials:
    # The hash algorithm used by the admin credentials. Supports [SHA256, SHA512].
    hash:
    # Only one of plaintextCredentialsSecret or salted can be set.
    # Kubernetes secret containing 'username' and 'plaintext' as secret keys.
    plaintextCredentialsSecret:

To configure the SCRAM admin with a salted password:

  1. Salt the admin password with a random salt, an iteration between 4096 and 16384 and an hash function of either SHA256 or SHA512.
  2. Create a Kubernetes secret with keys username, saltedPassword and salt.
  3. Populate the config below add it to kafka.authentication.sasl in your helm values.
scram:
  adminCredentials:
    # The hash algorithm used by the admin credentials. Supports [SHA256, SHA512].
    hash:
    # Salted admin credentials.
    salted:
      # The number of iterations in the salting process.
      iterations:
      # Kubernetes secret containing 'username', 'salt', 'salted-password' as secret keys.
      saltedSecret:

User Management

The SCRAM admin can manage other SCRAM users via the DescribeScramUserCredentials and AlterScramUserCredentials Kafka APIs.