I have setup the jaas config for kafka using sasl.jaas.config
property. I want to update this config and add users dynamically.
As per this doc - http://kafka.apache.org/11/documentation.html#dynamicbrokerconfigs, we can do that by using bin/kafka-configs.sh
.
The above doc has config column, which says as follow -
I have tried updating sasl.jaas.config
with below command:
bin/kafka-configs.sh --bootstrap-server localhost:9092 --entity-type brokers --entity-name 59 --alter --add-config sasl.jaas.config="KafkaServer {\n org.apache.kafka.common.security.plain.PlainLoginModule required\n username=\"myuser\"\n password=\"mypassword\";\n};\nClient {\n org.apache.zookeeper.server.auth.DigestLoginModule required\n username=\"myuser2\"\n password=\"mypassword2\";\n};"
But it gives me following error:
requirement failed: Invalid entity config: all configs to be added must be in the format "key=val"
If I look to above column, it says the format for value of sasl.jaas.config
property is (=)*
. What does this means?
How the value for 'sasl.jaas.config' should be passed to update jaas config dynamically?
While it's possible to dynamically update
sasl.jaas.config
to add more users, the default Plain login module is not intended to be used in production.Instead you should define callback handlers to handle authentication of users. This is described in the Kafka Sasl Plain docs.
Another option that requires more work (but give even more flexibility) is to create your own login module. The process is described in Can Kafka be provided with custom LoginModule to support LDAP?
Regarding the error message you get, this seems to be an issue with the
kafka-config.sh
tool. It's not expecting the config value to contain=
. You should be able to update that config using the AdminClient API.I couldn't find an existing issue in JIRA so created a new one: https://issues.apache.org/jira/browse/KAFKA-8010