How to Set Up Authentication in Kafka Cluster

In the previous article, we have set up the Zookeeper and Kafka cluster and we can produce and consume messages.

In this article, we will do the authentication of Kafka and Zookeeper so if anyone wants to connect to our cluster must provide some sort of credential.

We have 3 Virtual machines running on Amazon EC2 instances and each machine are running Kafka and Zookeeper.

Here is the authentication mechanism Kafka provides.

  1. Authentication using SSL.
  2. Authentication using SASL.

In this article, we will use Authentication using SASL. In SASL, we can use the following mechanism.

  • GSSAPI (Kerberos)
  • SCRAM-SHA-256
  • SCRAM-SHA-512

For the sake of simplicity, we will use PLAIN authentication mechanism. However, for production is recommended to use SASL with SSL to avoid exposure of sensitive data over the network.
Here is what we are going to do:

  • Zookeeper authentication.
  • Broker authentication.

We will secure our zookeeper servers so that the broker can connect to it securely. We will also do the broker authentication for our clients.

Let’s begin the configuration.

We will do zookeeper authentication first. On each Server running Zookeeper, create the file named zookeeper_jaas.conf on config directory.

Log in to the server and switch to the Kafka directory.

$ vi config/zookeeper_jaas.conf

Then add the following config values.

Server { required

Change the values based on your needs.

Open the file and add the following values.


After saving the file. Run this command.

$ export KAFKA_OPTS=""

Repeat the same steps on each server running Zookeeper.

Now let’s do the Kafka authentication.

Log in to each server running Kafka and switch to the Kafka directory.

create a file named kafka_server_jaas.conf in the config directory.

$ vi config/kafka_server_jaas.conf

Add the following values.

KafkaServer { required

Client { required

After saving the file, we need to edit the Kafka server properties.

Add the following values in the config/ file.


Then run this command.

$ export KAFKA_OPTS=""

Repeat the same steps on each Server running Kafka.

Restarting the cluster

Restart Zookeeper on each server.

$ bin/ config/

Restart the Kafka on each server.

$ bin/ config/

Your Kafka cluster is now secure. Refer the code below.

Connecting to Kafka using SASL Auth

Refer this Node code to connect to Kafka using SASL auth.

var kafka = require('kafka-node'),
Consumer = kafka.Consumer,
client = new kafka.KafkaClient({
  kafkaHost: ':9092,:9093,:9094',
  sasl: {mechanism: 'plain', username: 'admin', password: '12345'}
consumer = new Consumer(
  [{ topic: 'test', partition: 0 }],
   autoCommit: false

consumer.on('message', function (message) {

When you run this code, you will receive messages if exists from the test topic in your console.

That’s it. We have completed the Kafka cluster authentication using SASL.

This article is a part of a series, check out other articles here:

1: What is Kafka
2: Setting Up Zookeeper Cluster for Kafka in AWS EC2
3: Setting up Multi-Broker Kafka in AWS EC2
4: Setting up Authentication in Multi-broker Kafka cluster in AWS EC2
5: Setting up Kafka management for Kafka cluster
6: Capacity Estimation for Kafka Cluster in production
7: Performance testing Kafka cluster


Founder of Codeforgeek. Technologist. Published Author. Engineer. Content Creator. Teaching Everything I learn!

Articles: 126