Re: securing sasl/scram username and password in kafka connect

Mon, 07 Mar 2022 12:26:21 -0800 

Hi Chris,
I was getting an unauthorized/authentication error message when I was
trying it out last Friday.  I tried looking for the exact message in the
connect.log.* files but was not very successful.  In my connector file, I
have

{
 "name":"blah",
 "config": {
     ...
     ...
     "database.history.producer.sasl.jaas.config":
"org.apache.kafka.common.security.scram.ScramLoginModule required
username=\"000\" password=\"000000\";",
     ...
  }
}

I changed the database.history.producer.sasl.jaas.config to:

"database.history.producer.sasl.jaas.config":
"org.apache.kafka.common.security.scram.ScramLoginModule required
username="${file:/path/file.pro:user"} password="${file:/path/file.pro:
password}";",

On Mon, Mar 7, 2022 at 9:46 AM Chris Egerton <fearthecel...@gmail.com>
wrote:

> Hi Men,
>
> The config provider mechanism should work for every property in a connector
> config, and every property in a worker config except for the plugin.path
> property (see KAFKA-9845 [1]). You can also use it for only part of a
> single property, or even multiple parts, like in this example (assuming a
> config provider named "file"):
>
> sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule
> required username="${file:/some/file.properties:username}"
> password="${file:/some/file.properties:password}"
>
> What sorts of errors are you seeing when trying to use a config provider
> with sasl/scram credentials?
>
> [1] - https://issues.apache.org/jira/browse/KAFKA-9845
>
> Cheers,
>
> Chris
>
> On Mon, Mar 7, 2022 at 10:35 AM Men Lim <zulu...@gmail.com> wrote:
>
> > Hi all,
> >
> > recently, I found out about
> >
> > config.providers=file
> >
> >
> >
> config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider
> >
> > This works great to remove our embedded database password into an
> external
> > file.  However, it does not work when I tried to do the same thing with
> the
> > sasl/scram username and password found in the distributor or connector
> file
> > for kafka connect:
> >
> > sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule
> > required \
> > username="000" password="some_password";
> >
> > I was wondering if there's a way to secure these passwords as well?
> >
> > Thanks,
> >
>

Reply via email to