I have a working 3-node kafka kraft mode network. Everything works fine with no authentication. I am using new Kafka 3.6.
The node_id for the kraft controllers are "1000", "1001" and "1002".
There is a regular kafka broker with node_id "1".
I am trying to move that controller configuration to "scram-sha-256" authentication. The steps I did were:
With the cluster unauthenticated, I created scram-sha-256 credentials for users "1000", "1001" and "1002", using "kafka-configs.sh". The credentials reached the quorum servers and and they were distributed to the entire cluster, as inspection of "__cluster_metadata-0" storage files showed.
I stopped the quorum servers and I added this to the configuration of each one:
listeners=CONTROLLER://:9093
# A comma-separated list of the names of the listeners used by the
controller.
# This is required if running in KRaft mode.
controller.listener.names=CONTROLLER
listener.security.protocol.map=CONTROLLER:SASL_PLAINTEXT
# Maps listener names to security protocols, the default is for them to
be the same. See the config documentation for more details
#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
# KIP-631
sasl.mechanism.controller.protocol=SCRAM-SHA-256
sasl.enabled.mechanisms=SCRAM-SHA-256
listener.name.controller.sasl.enabled.mechanisms=SCRAM-SHA-256
listener.name.controller.scram-sha-256.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="1001" password="XXXX";
- I launch the servers, that starts fine and they try to reach each other. Nevertheless the authentication fails with this message:
org.apache.kafka.common.errors.SaslAuthenticationException:
Authentication failed during authentication due to invalid credentials with SASL mechanism SCRAM-SHA-256
- Checking with a sniffer (TLS encryption would be the next step, after authentication is solved) I see something strange: The client connecting sends the initial scram-sha-256 message, but it doesn't get the expected server nonce, but an inmediate authentication error.
For example, one controller send this:
n,,n=1001,r=3mgk0fnx45exolq50iej2o3vx (expected initial client
message) and the other replies with Authentication failed during authentication due to invalid credentials with SASL mechanism SCRAM-SHA-256. It looks like the user were not recognized or the
mechanism were not supported. I would expect a server handshake as
described in RFC 5802.
Any help?. Anybody with a similiar configuration?. Anybody could share their working configuration?. Thanks.