cp-ansible icon indicating copy to clipboard operation
cp-ansible copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

Default Password for sasl_plain_users

Open srkpers opened this issue 2 years ago • 2 comments

I am deploying Confluent platform using ansible playbooks and using confluent community edition ver 7.0.1. I am trying to incorporate custom passwords for the sasl_plain_users and any other principal which is getting configured by the ansible playbooks for confluent components such as zookeeper, broker, schema registry, connect, kafka rest and ksql. For e.g the default password for principal "kafka" is "admin-secret". I am trying to change the password to "admin-abcxyz" and similarly have custom password for other principals.

Here is the zookeeper jaas config file which has password as "admin-secret" for principal "admin". Can I change the password to "admin-abcxyz" by introduced some variable in the inventory file?

$ cat zookeeper_jaas.conf Server { org.apache.zookeeper.server.auth.DigestLoginModule required user_admin="admin-secret" user_kafka_broker="kafka_broker-secret"; };

QuorumServer { org.apache.zookeeper.server.auth.DigestLoginModule required user_admin="admin-secret"; };

QuorumLearner { org.apache.zookeeper.server.auth.DigestLoginModule required username="admin" password="admin-secret"; }; $

Similarly the Kafka server jaas config file has password as "kafka_broker-secret" for principal "kafka_broker". Need to change the password to let us say "kafka_broker-abcxyz".

$ cat kafka_server_jaas.conf

Client { org.apache.zookeeper.server.auth.DigestLoginModule required username="kafka_broker" password="kafka_broker-secret"; }; [kafkaadm@etsakci1s001 kafka]$

srkpers avatar Mar 08 '22 06:03 srkpers

Hi @srkpers,

You can try something like that, I think it works :

sasl_plain_users:
    admin:
        principal: "admin"
        password: "123"
    kafka_connect:
        principal: "kafka_connect"
        password: "azerty"
   # ... Same for client, schema_registry, kafka_rest, ksql, control_center and kafka_connect_replicator

If you use digest zookeeper authentification, you can override this variable zookeeper_digest_users with the same syntax. Example :

zookeeper_digest_users:
  admin:
    principal: admin
    password: admin-secret
  kafka_broker:
    principal: kafka_broker
    password: kafka_broker-secret

Kr,

LGouellec avatar Jun 09 '22 10:06 LGouellec

Hi @srkpers,

You can try something like that, I think it works :

sasl_plain_users:
    admin:
        principal: "admin"
        password: "123"
    kafka_connect:
        principal: "kafka_connect"
        password: "azerty"
   # ... Same for client, schema_registry, kafka_rest, ksql, control_center and kafka_connect_replicator

If you use digest zookeeper authentification, you can override this variable zookeeper_digest_users with the same syntax. Example :

zookeeper_digest_users:
  admin:
    principal: admin
    password: admin-secret
  kafka_broker:
    principal: kafka_broker
    password: kafka_broker-secret

Kr,

Thanks @LGouellec @srkpers Can you please confirm if the above suggestion works for you.

nsharma-git avatar Jul 01 '22 11:07 nsharma-git

Closing this issue as we haven't heard back from the filer. Please reopen if there is any concern. Thanks!

nsharma-git avatar Feb 20 '23 10:02 nsharma-git