Skip to main content
Version: 23.1

Configure SASL for Redpanda in Kubernetes

Loading...

Simple Authentication and Security Layer (SASL) is a framework for adding authentication support to connection-based protocols. In the Redpanda Helm chart, enabling SASL provides authentication between all Redpanda brokers and clients. For example, you can give clients a username and password for authentication as well as restrict their access to the cluster through access control lists (ACLs).

note

For secure authentication, you must use TLS encryption. TLS is enabled in the Helm chart by default.

Supported authentication mechanisms

The Redpanda Helm chart supports SASL/SCRAM (Salted Challenge Response Authentication Mechanism), also known as SCRAM.

SCRAM provides strong encryption for usernames and passwords by default and does not require an external data store for user information. Redpanda supports SCRAM-SHA-256 and SCRAM-SHA-512 authentication mechanisms.

The Helm chart does not currently support Kerberos authentication.

Enable SASL

Enable SASL for the cluster and create a superuser that can grant permissions to additional users through ACLS.

To create one or more superusers, you must define the following credentials:

  • Username
  • Password

You can also set the authentication mechanism for each superuser. Or, you can set the default authentication mechanism for all superusers in the auth.sasl.mechanism configuration. This default authentication mechanism is applied to all superusers that don't include an authentication mechanism.

You can define these credentials in Secrets or in YAML list items.

note

For default values and documentation for configuration options, see the values.yaml file.

Use Secrets

To use a Secret to store superuser credentials, do the following:

  1. Create a file in which to store the credentials. Make sure to include an empty line at the end of the file.

    echo '<superuser-name>:<superuser-password>:<superuser-authentication-mechanism>' >> superusers.txt

    Replace the following placeholders with your own values for the superuser:

    • <superuser-name>
    • <superuser-password>
    • <superuser-authentication-mechanism> (SCRAM-SHA-256 or SCRAM-SHA-512)

  2. Use the file to create a Secret in the same namespace as your Redpanda cluster.

    kubectl create secret generic redpanda-superusers -n redpanda --from-file=superusers.txt

  3. Enable SASL and create the superuser using your Secret:

    enable-sasl.yaml
    auth:
      sasl:
        enabled: true
        secretRef: "redpanda-superusers"
        users: null
    helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
      --values enable-sasl.yaml --reuse-values
    note

    For default values and documentation for configuration options, see the values.yaml file.

Use a YAML list

To use a YAML list item to store superuser credentials in configuration settings, do the following.

Replace the following placeholders with your own values for the superuser:

  • <superuser-name>
  • <superuser-password>
  • <superuser-authentication-mechanism> (SCRAM-SHA-256 or SCRAM-SHA-512)
important

If you have an existing Secret in your redpanda namespace called redpanda-superusers, make sure to either delete that Secret or replace auth.sasl.secretRef in these examples with the name of a Secret that doesn't currently exist in the namespace.

When you use a YAML list to specify superusers, the Helm chart creates a Secret using the value of auth.sasl.secretRef as the Secret's name, and stores those superusers in the Secret as a TXT file. If the Secret already exists in the namespace when you deploy Redpanda, the following error is displayed:

Error: UPGRADE FAILED: rendered manifests contain a resource that already exists. Unable to continue with update: Secret

enable-sasl.yaml
auth:
  sasl:
    enabled: true
    secretRef: redpanda-superusers
    users:
      - name: <superuser-name>
        password: <superuser-password>
        mechanism: <superuser-authentication-mechanism>
helm upgrade --install redpanda redpanda/redpanda -n redpanda --create-namespace \
  --values sasl-enable.yaml --reuse-values
note

For default values and documentation for configuration options, see the values.yaml file.

Create users

When you have SASL enabled for your Redpanda cluster and you have at least one superuser, you can create new users that are not superusers. By default, these users don't have any permissions in the cluster.

tip

As a security best practice, superusers should not run commands on the cluster. Instead, run commands as new users.

To create the user myuser with a password changethispassword, run rpk acl user create:

kubectl exec -n redpanda -c redpanda redpanda-0 -- \
  rpk acl user create myuser -p 'changethispassword' \
  --admin-api-tls-enabled \
  --admin-api-tls-truststore <path-to-admin-api-ca-certificate> \
  --api-urls <broker-url>:<admin-api-port>
tip

Put passwords in single quotes to avoid conflicts with special characters. Enclosing characters in single quotes preserves the literal value of each character.

Grant permissions

By default, new users don't have any permissions in the cluster. The superuser can grant permissions to new users through ACLs.

  1. Use the rpk acl create command to grant create and describe permissions to myuser in the cluster:

    kubectl exec -n redpanda -c redpanda redpanda-0 -- \
      rpk acl create --allow-principal User:myuser \
      --operation create,describe \
      --cluster \
      --user <superuser-name> \
      --password '<superuser-password>' \
      --sasl-mechanism <superuser-authentication-mechanism> \
      --tls-enabled \
      --tls-truststore <path-to-ca-certificate> \
      --brokers <broker-urls>
    note

    A user must be explicitly granted describe privileges for topics. Even if a user has describe privileges for a cluster, it does not mean that the user is automatically granted describe privileges for a specific topic.

  2. Grant the new user permissions for a specific topic. The following command grants describe privileges to a topic called myfirsttopic:

    kubectl exec -n redpanda -c redpanda redpanda-0 -- \
      rpk acl create --allow-principal User:myuser \
      --operation describe \
      --topic myfirsttopic \
      --user <superuser-name> \
      --password '<superuser-password>' \
      --sasl-mechanism <superuser-authentication-mechanism> \
      --tls-enabled \
      --tls-truststore <path-to-ca-certificate> \
      --brokers <broker-url>:<kafka-api-port>

Use rpk to authenticate to Redpanda using SASL

Authenticate a new user to Redpanda with the user's credentials to start working with the cluster.

note

The --sasl-mechanism flag is required. This flag tells rpk the authentication method to use to authenticate the user.

To create a topic, run rpk topic create:

kubectl exec -n redpanda -c redpanda redpanda-0 -- \
  rpk topic create myfirsttopic \
  --user myuser \
  --password 'changethispassword' \
  --sasl-mechanism SCRAM-SHA-256 \
  --tls-enabled \
  --tls-truststore <path-to-ca-certificate> \
  --brokers <broker-url>:<kafka-api-port>

To describe the topic, run rpk topic describe:

kubectl exec -n redpanda -c redpanda redpanda-0 -- \
  rpk topic describe myfirsttopic \
  --user myuser \
  --password 'changethispassword' \
  --sasl-mechanism SCRAM-SHA-256 \
  --tls-enabled \
  --tls-truststore <path-to-ca-certificate> \
  --brokers <broker-url>:<kafka-api-port>

Suggested reading

  • Learn more about ACLs.
  • See the rpk acl command reference.

What do you like about this doc?




Optional: Share your email address if we can contact you about your feedback.

Let us know what we do well:
Ask in the community
Make a contribution