which authentication protocol should I choose for SASL-scram-sha-512 and SSL?

[barryzhounb]

In our project, we have an app outside of OCP that access Strimizi cluster, now we have implemented external routes via port 443 to access kafka topics.

Basically, I understand there are two kinds of authentication and authorization - SASL and SSL.

This is SASL with scram-sha-512, it needs trustore, user name and password for authentication.

security.protocol=SASL_SSL
ssl.trustmanager.algorithm=PKIX
ssl.truststore.location=truststore.jks
ssl.keystore.type=JKS
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username=xxxx password=xxxxxxxx;
sasl.mechanism=SCRAM-SHA-512
ssl.enabled.protocols=TLSv1.2
ssl.protocol=TLS
ssl.endpoint.identification.algorithm=

This is SSL, it needs truststore and keystore for mutual TLS authentication.

security.protocol=SSL
ssl.trustmanager.algorithm=PKIX
ssl.truststore.location=truststore.jks
ssl.truststore.password=123456
ssl.truststore.type=JKS
ssl.keystore.location=keystore.jks
ssl.keystore.password=123456
ssl.keystore.type=JKS

Now, the question is, for authentication SASL-scram-sha-512 and SSL, which one is more practical or more secure ? Which one is used by majority of customers in the real world ? and why?

[scholzj]

I'm not sure this has an easy answer. Everyone prefers slightly different things, has different security policies etc. I think both are fairly popular. One of the disadvantages of TLS Client Authentication is that it does not use and certificate revocation list. So you cannot easily revoke individual certificates. All you can do is changing the Clients CA. With SCRAM-SHA passwords, this is easier since when you delete a user or its password, it will stop working immediately.

[barryzhounb]

However, for SCRAM-SHA, username and password are set in the producer/consumer properties with plain text, it is a concern for us, is there any approach for fixing it?

[scholzj]

All I can tell you is that the password is not transferred over the network in plaintext form and are not stored in Zookeeper in plaintext either. I do not know whether there are some tricks to not store it in plaintext form for the configuration. The SCRAM-SHA mechanism is not in any way unique to Strimzi, it is standard Kafka mechanism. So maybe asking in the Kafka forums might give you some better answers.

But that is exactly as I said ... everyone has different requirements and sees different things as important.

[barryzhounb]

Okay, your answer is helpful, big thanks.