SASL Authentication

SASL Authentication uses usernames and passwords to authenticate your Kafka clients. By default Kafka clients communicating with WarpStream Agents use PLAINTEXT, meaning that all data is sent in plain text (unencrypted), this includes the SASL usernames and passwords.

When using SASL it is recommended to

The WarpStream Agents support SASL/PLAIN and SASL/SCRAM-SHA-512 for communication.

Configure WarpStream Agents

Set the requireSASLAuthentication flag or WARPSTREAM_REQUIRE_SASL_AUTHENTICATION=true environment variable on the Agents.

Once authentication is enabled on the Agents, they will enforce that all Apache Kafka clients that connect to them authenticate themselves via SASL. Improperly authenticated clients will be unable to connect.

Creating Credentials

In order to connect an Apache Kafka client to the authenticated WarpStream Agent, you'll need to create a set of credentials. You can do that by navigating to the and then clicking "Credentials" within the Virtual Cluster that you want to create a set of credentials for.

Once you're on the credentials view, you can create a new set of SASL credentials by clicking the "Create Credentials" button.

Insert the name that you want the credential to have, check super user if desired, click Create Credentials

Once you're done creating the credentials, the admin console will show you the username and password one time. Store these values somewhere safe, as you'll never be able to view them again. WarpStream does not store them in plaintext, so we cannot retrieve them for you.

In the case that you lose your credentials, you can create a new set of credentials in the admin console following the same steps as above, up to a limit of 100 credentials.

Configure Kafka clients

For configuring SASL in your Kafka clients it is recommended to review the documentation for your Kafka client. Every Kafka client configures SASL differently and those configurations may change version to version.