SASL Authentication
Simple Authentication and Security Layer for client authentication.
Supported Mechanisms
| Mechanism | Security | Use Case |
|---|---|---|
| PLAIN | Low | Development, internal |
| SCRAM-SHA-256 | High | Production |
| SCRAM-SHA-512 | Highest | High security |
Configuration
PLAIN
Simple username/password:
{
"Surgewave": {
"Security": {
"SaslEnabled": true,
"SaslMechanisms": ["PLAIN"],
"Users": [
{ "Username": "admin", "Password": "admin-secret" },
{ "Username": "producer", "Password": "prod-secret" },
{ "Username": "consumer", "Password": "cons-secret" }
]
}
}
}
SCRAM-SHA-256
Salted Challenge Response:
{
"Surgewave": {
"Security": {
"SaslEnabled": true,
"SaslMechanisms": ["SCRAM-SHA-256"],
"ScramCredentialsFile": "/config/credentials.json"
}
}
}
Credentials file format:
{
"users": [
{
"username": "admin",
"password": "admin-secret",
"iterations": 4096
},
{
"username": "app",
"password": "app-secret",
"iterations": 4096
}
]
}
SCRAM-SHA-512
Same as SCRAM-SHA-256 with stronger hash:
{
"Surgewave": {
"Security": {
"SaslMechanisms": ["SCRAM-SHA-512"]
}
}
}
Client Configuration
Surgewave.Client
SASL authentication is configured at the broker level. Native clients connect normally:
await using var client = new SurgewaveNativeClient("localhost", 9092);
await client.ConnectAsync();
Confluent.Kafka
var config = new ProducerConfig
{
BootstrapServers = "localhost:9092",
SecurityProtocol = SecurityProtocol.SaslPlaintext,
SaslMechanism = SaslMechanism.ScramSha256,
SaslUsername = "app",
SaslPassword = "app-secret"
};
SASL Handshake
sequenceDiagram
participant Client
participant Server
Client->>Server: SaslHandshake(SCRAM-SHA-256)
Server-->>Client: SaslHandshake Response
Client->>Server: SaslAuthenticate(client-first)
Server-->>Client: SaslAuthenticate(server-first)
Client->>Server: SaslAuthenticate(client-final)
Server-->>Client: SaslAuthenticate(success)
User Management
Add User
# Add to credentials file
{
"username": "newuser",
"password": "password",
"iterations": 4096
}
CLI (Future)
surgewave users add newuser --password secret
surgewave users list
surgewave users delete olduser
Anonymous Access
Allow during migration:
{
"Surgewave": {
"Security": {
"SaslEnabled": true,
"AllowAnonymous": true
}
}
}
Troubleshooting
Authentication Failed
Error: Authentication failed for user 'app'
- Verify username/password
- Check credentials file format
- Ensure mechanism matches
Unsupported Mechanism
Error: Unsupported SASL mechanism
- Check
SaslMechanismsin server config - Verify client uses supported mechanism
Best Practices
- Use SCRAM over PLAIN in production
- Strong passwords - Min 16 characters
- Separate accounts - Per application
- Audit logins - Monitor auth events