Users with SASL + SSL

[fsouza-bux]

Started to test a strimzi in order to migrate our current kafka deployments to it, and just noticed one thing regarding the listeners / users authentication.
We are mainly using SASL_SSL for the current listeners, so we use both SCRAM + TLS/SSL.
We got to push the listeners already in strimzi as SASL_SSL with the following below:

      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: scram-sha-512

But it seems that with the current resource for the KafkaUser, either the auth is SCRAM or TLS, and by consequence the secret for the user ends up creating or the SCRAM auth or the whole set of certs and keys for the user.

Is there any way to use the resource to create a user + secret with both auth modes?

Thanks

[scholzj]

The configuration you have above is basically just TLS encryption and SCRAM-SHA-512 client authentication. So the users do not need any TLS certificates to authenticate. They just need to have a truststore from the <cluster-name>-cluster-ca-cert secret and the SCRAM-SHA-512 username and password from the user secret.

Strimzi does not support combining both TLS Client Authentication and SCRAM on the same listener (and I'm not 100% sure if Kafka supports it - but I guess it does if you use it ... out of curiosity, what would be the principal of such user after it connects?).

[fsouza-bux]

thanks for the reply!
So mainly we can push the user as auth scram only, and the truststore from the -cluster-ca-cert! I'll give it a try!
Not sure what was the rationale about using both in the current cluster, and I'm not the most experienced Kafka person as well to bring you clarifications on that, sorry. Our listeners are always now SASL_SSL protocol, juts like below:

listeners=EXTERNAL://:9094,PLAIN://:9092
listener.security.protocol.map=PLAIN:SASL_SSL,EXTERNAL:SASL_SSL

And for example a consumer: (the same would apply to a producer, it's python in this case but using the certificate / truststore as any java app):

settings = {
    'security.protocol': 'SASL_SSL',
    'sasl.mechanisms': 'SCRAM-SHA-512',
    'sasl.username': 'user',
    'sasl.password': 'password',
    'ssl.ca.location': '/path/ca.pem'
}

[fsouza-bux]

Sorry understood, your answer now. The auth is anyway scram, but of course over encryption using the ca certs from the kafka cluster. sorry i think i misunderstood the concept as well of the auth + ssl encryption there.

[scholzj]

Yeah, I think from the consumer configuration that what you need is exactly what you have in the Strimzi configuration up top. So I just misunderstood the question as that you want to both TLS Client Authentication and SCRAM-SHA. But the consumer config has just TLS encryption. So you should just take the password from the KafkaUser secret and the ca.crt from the <cluster-name>-cluster-ca-cert as your ca.pem and I think you should be good.