<<< some of our clients uses oAuth and some uses cert based auth Hi Senthil. Brokers support different clients using different types of authentication, so there is no problem here. The way it works is via the broker's listener -- each one listens on a separate port and is either a SSL listener (mutual cert authentication), a SASL listener (or which there are two styles, with and without encryption -- more on that below), or a PLAINTEXT listener (no authentication). One thing to clarify is that any particular client cannot authenticate with multiple identities -- Kafka does not support multiple identities on a single session -- so if the client connects on the port associated with SASL then the broker will ignore any client-side certificate. As mentioned, there are two types of listeners associated with SASL: one called SASL_PLAINTEXT where the communication happens in the clear and another called SASL_SSL where the communication is TLS-encrypted. It is this second case -- SASL_SSL -- where the client could potentially present a certificate, but the broker ignores it in this case even if the broker's config says it is required. This is done because of the constraint mentioned above -- a particular client can authenticate with at most 1 identity over any single connection.
I hope this helps. You may find the blog post at https://www.confluent.io/blog/kafka-listeners-explained to be interesting and helpful, too. Ron On Wed, Jan 22, 2020 at 2:07 AM Senthilnathan Muthusamy <senth...@microsoft.com.invalid> wrote: > > Hi, > > We want both SASL (oAuthBearer) & SSL authentication to be enabled. However > based on the below doc, the SSL auth will be disabled if SASL is enabled. > > https://docs.confluent.io/current/kafka/authentication_ssl.html#brokers > > > If any SASL authentication mechanisms are enabled for a given listener, then > SSL client authentication is disabled-even if you have specified > ssl.client.auth=required and the broker authenticates clients only using SASL > on that listener. > > How can we have both SASL & SSL authentication enabled as some of our clients > uses oAuth and some uses cert based auth? > > Appreciate any pointers. > > Thanks, > Senthil
