I'm trying to setup Kafka and Zookeeper with SASL authentication. My goal is to be able to enable authentication for Kafka so I can manage it with Kafka UI. However, I have been struggling and cannot deploy them. This is zookeeper and kafka in docker-composer.yaml.
zookeeper:
image: confluentinc/cp-zookeeper:7.4.4
environment:
ZOOKEEPER_CLIENT_PORT: 2181
ZOOKEEPER_TICK_TIME: 2000
KAFKA_OPTS:
-Djava.security.auth.login.config=/tmp/zookeeper_server_jaas.conf
-Dquorum.auth.enableSasl=true
-Dquorum.cnxn.threads.size=20
-Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
-DjaasLoginRenew=3600000
-DrequireClientAuthScheme=sasl
volumes:
- ./zookeeper_server_jaas.conf:/tmp/zookeeper_server_jaas.conf
ports:
- 22181:2181
kafka:
image: confluentinc/cp-kafka:7.4.4
depends_on:
- zookeeper
ports:
- 29092:29092
environment:
KAFKA_BROKER_ID: 1
KAFKA_LISTENERS: SASL_PLAINTEXT://:9092
KAFKA_ADVERTISED_LISTENERS: SASL_PLAINTEXT://localhost:9092
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
KAFKA_OPTS:
-Djava.security.auth.login.config=/tmp/kafka_server_jaas.conf
-Dquorum.auth.enableSasl=true
KAFKA_INTER_BROKER_LISTENER_NAME: SASL_PLAINTEXT
KAFKA_SASL_ENABLED_MECHANISMS: PLAIN
KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: PLAIN
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
volumes:
- ./kafka_server_jaas.conf:/tmp/kafka_server_jaas.conf
This is my configuration files:
zookeeper_server_jaas.conf
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_admin="admin-secret";
};
kafka_sever_jaas.conf
KafkaServer {
org.apache.kafka.common.security.scram.ScramLoginModule required
username="client"
password="clientpwd"
user_client="clientpwd";
};
Client {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret";
};
The Kafka container will stop immediately with error:
ERROR SASL authentication failed using login context 'Client'. (org.apache.zookeeper.client.ZooKeeperSaslClient)
javax.security.sasl.SaslException: Error in authenticating with a Zookeeper Quorum member: the quorum member's saslToken is null.
And the Zookeeper container keeps running, but it logs:
ERROR cnxn.saslServer is null: cnxn object did not initialize its saslServer properly. (org.apache.zookeeper.server.ZooKeeperServer)
I tried to add the command: ["tail", "-f", "/dev/null"]
to check if the conf file is properly mounted, they appeared to be in the container director /tmp/
. I did many online research related to this problem, but nothing worked out for me.