not need jaas file in sasl_ssl ?

[spham]

hi just a question, it seems missing loading jaas file, for connect with zookeeper in OPTS when start kafka-server-start.sh ?

[sleighzy]

Hi @spham , sorry for the delay. No, this Ansible role does not include all possible configuration files for all the security mechanisms. You will need to provide your own configuration file if you’re using SASL. You can point to this file by adding the configuration property and path to your file as another env var named “KAFKA_OPTS” as an “Environment” line in the templates/kafka.service.j2 file.

I believe this configuration can also be inlined within the brokers configuration file.

Did this answer your question? I may have some further examples of this so let me know.

[spham]

if you have example in sasl_ssl, i'm interested.

[sleighzy]

I have located some detailed content I had a while back but there are various combinations of things. For example, SASL/SCRAM vs SASL/GSSAPI (Kerberos), and ZooKeeper with secured ACLs vs not etc. What might be helpful is knowing what your current zookeeper authentication and config is to see what is required from the kafka broker side. For example, do you have the kafka configuration you need but it is just a question of how to provide that at runtime due to errors about missing JAAS file? You mention you have SSL so one configuration possible is specifying the brokers as super users and the full DN from the certificate from each broker is used as the principal, I have examples of this as well. Is the ZooKeeper configuration fine and is just the Kafka stuff that needs to be created? Just wanting to know what I should be targeting at a high level so I can direct you to the right place vs replicating docs and config for all use cases here.

[spham]

ok thank you