Kafka is a distributed streaming platform widely used for building real-time data pipelines and streaming applications. Security is a critical aspect when deploying Kafka in production environments. One of the simplest ways to secure Kafka is by using SASL\/PLAIN authentication, which provides username-password based authentication between clients and Kafka brokers. Let us delve into understanding Kafka authentication using SASL\/PLAIN.<\/p>\n
Kafka is an open-source distributed event streaming platform<\/a> capable of handling trillions of events a day. It allows producers to send messages to topics, and consumers to read these messages in real time or batch mode. Kafka provides high throughput, fault tolerance, and scalability. <\/p>\n SASL (Simple Authentication and Security Layer<\/a>) is a framework that adds authentication support to connection-based protocols. SASL\/PLAIN is one mechanism under SASL that uses a simple username and password for client authentication. Though not encrypted by itself, SASL\/PLAIN is often used in conjunction with TLS<\/a> to protect credentials over the network. Using SASL\/PLAIN with Kafka, the client authenticates with the broker using a configured username and password, enabling controlled access to Kafka topics and operations.<\/p>\n Below is a detailed guide and configuration for running Kafka and Zookeeper using Docker Compose with SASL\/PLAIN authentication enabled. This setup enables Kafka brokers to require username-password authentication, improving the security of Kafka communications.<\/p>\n This Docker Compose configuration defines two services: Create a file named This Go to the Docker folder in the terminal and run this command to start the containers in the background:<\/p>\n This command will launch the Zookeeper service on port 2181 and the Kafka broker on ports 9092 (PLAINTEXT) and 9093 (SASL_PLAINTEXT), applying the SASL\/PLAIN authentication and authorization configurations as defined in the Docker Compose file and JAAS configuration file, thereby preparing a secured Kafka environment ready for client connections.<\/p>\n Kafka topics are like channels where producers send messages and consumers receive them. Before you can send or get messages, you must create the topic on the Kafka broker. To do this, log into the Kafka container and run the following command inside it:<\/p>\n Below is a detailed Spring Boot example demonstrating a Kafka producer and consumer configured to use SASL\/PLAIN authentication.<\/p>\n This Java Spring configuration class Define the JAAS configuration in This configuration snippet sets Kafka client properties in the Create a simple Kafka producer service. This Java Spring service class Create a Kafka consumer to listen on the topic. This Java Spring component class In the main application or a command line runner, send a test message.<\/p>\n When you run the application, this output appears on the console.<\/p>\n<\/a>2. Code Example<\/h2>\n
2.1 Setting Up Kafka on Docker with SASL\/PLAIN<\/h3>\n
\nversion: '3'\nservices:\n zookeeper:\n image: wurstmeister\/zookeeper:3.4.6\n ports:\n - \"2181:2181\"\n\n kafka:\n image: wurstmeister\/kafka:2.12-2.2.1\n ports:\n - \"9092:9092\"\n environment:\n KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181\n KAFKA_ADVERTISED_LISTENERS: PLAINTEXT:\/\/localhost:9092,SASL_PLAINTEXT:\/\/localhost:9093\n KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,SASL_PLAINTEXT:SASL_PLAINTEXT\n KAFKA_INTER_BROKER_LISTENER_NAME: SASL_PLAINTEXT\n KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: PLAIN\n KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.auth.SimpleAclAuthorizer\n KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: 'true'\n KAFKA_SUPER_USERS: User:admin\n KAFKA_OPTS: \"-Djava.security.auth.login.config=\/opt\/kafka\/config\/kafka_server_jaas.conf\"\n volumes:\n - .\/kafka_server_jaas.conf:\/opt\/kafka\/config\/kafka_server_jaas.conf\n depends_on:\n - zookeeper\n<\/pre>\n
zookeeper<\/code> and kafka<\/code>. The zookeeper<\/code> service uses the wurstmeister\/zookeeper:3.4.6<\/code> image and exposes port 2181 to allow Kafka to coordinate broker metadata and cluster state. The kafka<\/code> service uses the wurstmeister\/kafka:2.12-2.2.1<\/code> image, exposes port 9092 for client connections, and is configured to connect to the Zookeeper service at zookeeper:2181<\/code>. Kafka is set up with two listeners: a PLAINTEXT listener on port 9092 and a SASL_PLAINTEXT listener on port 9093, with the inter-broker communication secured using SASL\/PLAIN mechanism. It uses the SimpleAclAuthorizer<\/code> to control access with an open policy allowing everyone if no ACL is found, and designates the user admin<\/code> as a superuser. The configuration file for Java Authentication and Authorization Service (JAAS) is mounted into the container at runtime via a volume mount from the local file kafka_server_jaas.conf<\/code>. The Kafka service depends on Zookeeper to ensure proper startup order, allowing Kafka to rely on Zookeeper for distributed coordination. This setup facilitates a secure Kafka broker with SASL\/PLAIN authentication running alongside Zookeeper within Docker containers. <\/p>\n2.1.1 Server Configuration<\/h4>\n
kafka_server_jaas.conf<\/code> with the following content:<\/p>\n\nKafkaServer {\n org.apache.kafka.common.security.plain.PlainLoginModule required\n username=\"admin\"\n password=\"admin-secret\"\n user_admin=\"admin-secret\"\n user_alice=\"alice-secret\";\n};\n<\/pre>\nkafka_server_jaas.conf<\/code> file configures the Kafka broker’s JAAS (Java Authentication and Authorization Service) settings to enable SASL\/PLAIN authentication; it defines a KafkaServer<\/code> section using the PlainLoginModule<\/code> where the broker authenticates clients by matching usernames and passwords, specifying admin<\/code> as the principal username with its password admin-secret<\/code>, and also listing additional valid users such as admin<\/code> and alice<\/code> with their respective passwords admin-secret<\/code> and alice-secret<\/code>, allowing these users to connect securely to Kafka brokers using SASL\/PLAIN mechanism for authentication. 2.1.2 How to Run the Kafka and Zookeeper Docker Setup?<\/h4>\n
\ndocker-compose up -d\n<\/pre>\n
2.1.3 How to Create a Kafka Topic?<\/h4>\n
\nkafka-topics.sh --create \\\n --topic test-topic \\\n --bootstrap-server localhost:9092 \\\n --partitions 3 \\\n --replication-factor 1\n<\/pre>\n
2.2 Implement Kafka with SASL\/PLAIN Authentication in Spring Boot<\/h3>\n
\n@Configuration\npublic class KafkaConfig {\n\n @Value(\"${spring.kafka.bootstrap-servers}\")\n private String bootstrapServers;\n\n @Value(\"${spring.kafka.properties.sasl.jaas.config}\")\n private String jaasConfig;\n\n \/\/ Producer configuration\n @Bean\n public Map<String, Object> producerConfigs() {\n Map<String, Object> props = new HashMap<>();\n props.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, bootstrapServers);\n props.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, StringSerializer.class);\n props.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, StringSerializer.class);\n\n \/\/ Enable SASL\/PLAIN authentication\n props.put(\"security.protocol\", \"SASL_PLAINTEXT\");\n props.put(\"sasl.mechanism\", \"PLAIN\");\n props.put(\"sasl.jaas.config\", jaasConfig);\n\n return props;\n }\n\n @Bean\n public ProducerFactory<String, String> producerFactory() {\n return new DefaultKafkaProducerFactory<>(producerConfigs());\n }\n\n @Bean\n public KafkaTemplate<String, String> kafkaTemplate() {\n return new KafkaTemplate<>(producerFactory());\n }\n\n \/\/ Consumer configuration\n @Bean\n public Map<String, Object> consumerConfigs() {\n Map<String, Object> props = new HashMap<>();\n props.put(ConsumerConfig.BOOTSTRAP_SERVERS_CONFIG, bootstrapServers);\n props.put(ConsumerConfig.KEY_DESERIALIZER_CLASS_CONFIG, StringDeserializer.class);\n props.put(ConsumerConfig.VALUE_DESERIALIZER_CLASS_CONFIG, StringDeserializer.class);\n props.put(ConsumerConfig.GROUP_ID_CONFIG, \"group_id\");\n props.put(ConsumerConfig.AUTO_OFFSET_RESET_CONFIG, \"earliest\");\n\n \/\/ Enable SASL\/PLAIN authentication\n props.put(\"security.protocol\", \"SASL_PLAINTEXT\");\n props.put(\"sasl.mechanism\", \"PLAIN\");\n props.put(\"sasl.jaas.config\", jaasConfig);\n\n return props;\n }\n\n @Bean\n public ConsumerFactory<String, String> consumerFactory() {\n return new DefaultKafkaConsumerFactory<>(consumerConfigs());\n }\n\n @Bean\n public ConcurrentKafkaListenerContainerFactory<String, String> kafkaListenerContainerFactory() {\n ConcurrentKafkaListenerContainerFactory<String, String> factory = \n new ConcurrentKafkaListenerContainerFactory<>();\n factory.setConsumerFactory(consumerFactory());\n return factory;\n }\n}\n<\/pre>\nKafkaConfig<\/code> sets up both Kafka producer and consumer with SASL\/PLAIN authentication; it reads the Kafka bootstrap server address and JAAS configuration string from properties, defines producer properties including bootstrap servers, serializers, and security settings for SASL\/PLAIN via security.protocol<\/code>, sasl.mechanism<\/code>, and sasl.jaas.config<\/code>, then creates a ProducerFactory<\/code> and a KafkaTemplate<\/code> bean for producing messages. Similarly, it defines consumer properties including deserializers, group ID, auto offset reset, and identical SASL\/PLAIN security configurations, followed by a ConsumerFactory<\/code> and a concurrent listener container factory bean to enable message consumption with secure authentication. This setup ensures that both Kafka producers and consumers connect securely to Kafka brokers using SASL\/PLAIN over the specified bootstrap servers in a Spring Boot application.<\/p>\n2.3 Setting up the configuration<\/h3>\n
application.properties<\/code>:<\/p>\n\nspring.kafka.bootstrap-servers=localhost:9093\n\nspring.kafka.properties.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username=\"alice\" password=\"alice-secret\";\n<\/pre>\n
application.properties<\/code> file for a Spring Boot application, specifying the Kafka broker address at localhost:9093<\/code> under spring.kafka.bootstrap-servers<\/code>, and defining the JAAS login module configuration string for SASL\/PLAIN authentication under spring.kafka.properties.sasl.jaas.config<\/code>; it uses the PlainLoginModule<\/code> with the required username alice<\/code> and password alice-secret<\/code>, ensuring the Kafka client authenticates securely with the broker using the SASL\/PLAIN mechanism, with special attention to properly escaping the double quotes in the properties file to avoid syntax errors during loading.<\/p>\n2.4 Producer Service<\/h3>\n
KafkaProducer<\/code> uses dependency injection to receive a KafkaTemplate<\/code> configured for sending string key-value messages, and provides a method sendMessage<\/code> that takes a Kafka topic name and a message string, then sends the message asynchronously to the specified topic using the kafkaTemplate.send()<\/code> method, followed by printing a confirmation to the console indicating the message content and target topic, enabling simple and reusable Kafka message production within a Spring application.<\/p>\n\n@Service\npublic class KafkaProducer {\n private final KafkaTemplate<String, String> kafkaTemplate;\n\n public KafkaProducer(KafkaTemplate<String, String> kafkaTemplate) {\n this.kafkaTemplate = kafkaTemplate;\n }\n\n public void sendMessage(String topic, String message) {\n kafkaTemplate.send(topic, message);\n System.out.println(\"Sent message: \" + message + \" to topic: \" + topic);\n }\n}\n<\/pre>\n2.5 Consumer Service<\/h3>\n
KafkaConsumer<\/code> listens to messages from the Kafka topic test-topic<\/code> within the consumer group group_id<\/code> using the @KafkaListener<\/code> annotation; the listen<\/code> method is triggered automatically whenever a new message arrives on the specified topic, receiving the message as a string parameter and printing it to the console, thus providing a simple way to consume and process Kafka messages asynchronously in a Spring application.<\/p>\n\n@Component\npublic class KafkaConsumer {\n\n @KafkaListener(topics = \"test-topic\", groupId = \"group_id\")\n public void listen(String message) {\n System.out.println(\"Received message: \" + message);\n }\n}\n<\/pre>\n2.6 Main Class<\/h3>\n
\n@SpringBootApplication\npublic class KafkaSaslPlainApplication implements CommandLineRunner {\n\n private final KafkaProducer kafkaProducer;\n\n public KafkaSaslPlainApplication(KafkaProducer kafkaProducer) {\n this.kafkaProducer = kafkaProducer;\n }\n\n public static void main(String[] args) {\n SpringApplication.run(KafkaSaslPlainApplication.class, args);\n }\n\n @Override\n public void run(String... args) throws Exception {\n kafkaProducer.sendMessage(\"test-topic\", \"Hello Kafka with SASL\/PLAIN!\");\n }\n}\n<\/pre>\n2.7 Code Run and Output<\/h3>\n
\n\/\/ Producer\nHello Kafka with SASL\/PLAIN! \n\n\/\/ Consumer \nReceived message: Hello Kafka with SASL\/PLAIN!\n<\/pre>\n