Charmed Kafka K8s Documentation - Tutorial - Manage Passwords

This is part of the Charmed Kafka K8s Tutorial. Please refer to this page for more information and the overview of the content.

Manage passwords

Passwords help to secure our cluster and are essential for security. Over time it is a good practice to change the password frequently. Here we will go through setting and changing the password both for the admin user and external Kafka users managed by the data-integrator.

Admin user

The admin user password management is handled directing by the charm, by using Juju actions.

Retrieve the password

As previously mentioned, the admin password can be retrieved by running the get-admin-credentials action on the Charmed Kafka application:

juju run kafka-k8s/leader get-admin-credentials

Running the command should output:

Running operation 12 with 1 task
  - task 13 on unit-kafka-k8s-2

Waiting for task 13...
client-properties: |-
  sasl.mechanism=SCRAM-SHA-512
  sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="0FIQ5QxSaNfl1bXHtV5dyttb21Nbzmpp";
  security.protocol=SASL_PLAINTEXT
  bootstrap.servers=kafka-k8s-2.kafka-k8s-endpoints:9092,kafka-k8s-0.kafka-k8s-endpoints:9092,kafka-k8s-1.kafka-k8s-endpoints:9092
password: 0FIQ5QxSaNfl1bXHtV5dyttb21Nbzmpp
username: admin

The admin password is under the result: password.

Rotate the admin password

You can change the admin password to a new random password by entering:

juju run kafka-k8s/leader set-password username=admin

Running the command should output:

Running operation 14 with 1 task
  - task 15 on unit-kafka-k8s-2

Waiting for task 15...
admin-password: Fz6wPkfGtgjnQ3PCJuZnzJESudZkAvrV

The admin password is under the result: admin-password. It should be different from your previous password.

Note when you change the admin password you will also need to update the admin password the in Kafka connection parameters; as the old password will no longer be valid.

Set the admin password

You can change the admin password to a specific password by entering:

juju run kafka-k8s/leader set-password username=admin password=my-new-password

Running the command should output:

Running operation 18 with 1 task
  - task 19 on unit-kafka-k8s-2

Waiting for task 19...
admin-password: my-new-password

The admin password under the result: admin-password should match the password we provided as the action argument.

Note that when you change the admin password you will also need to update the admin password in the Kafka connection parameters, as the old password will no longer be valid.

External Kafka users

Unlike Admin management, the password management for external Kafka users is instead managed using relations. Let’s see this into play with the Data Integrator charm, that we have deployed in the previous part of the tutorial.

Retrieve the password

Similarly to the Kafka application, also the data-integrator exposes an action to retrieve the credentials, e.g.

juju run data-integrator/leader get-credentials

Running the command should output:

Running operation 22 with 1 task
  - task 23 on unit-data-integrator-0

Waiting for task 23...
kafka:
  endpoints: kafka-k8s-2.kafka-k8s-endpoints:9092,kafka-k8s-1.kafka-k8s-endpoints:9092,kafka-k8s-0.kafka-k8s-endpoints:9092
  password: S4IeRaYaiiq0tsM7m2UZuP2mSI573IGV
  tls: disabled
  topic: test-topic
  username: relation-6
  zookeeper-uris: zookeeper-k8s-0.zookeeper-k8s-endpoints:2181,zookeeper-k8s-1.zookeeper-k8s-endpoints:2181,zookeeper-k8s-2.zookeeper-k8s-endpoints:2181/kafka-k8s
ok: "True"

As before, the admin password is under the result: password.

Rotate the password

The easiest way to rotate user credentials using the data-integrator is by removing and then re-relating the data-integrator with the kafka-k8s charm

juju remove-relation kafka-k8s data-integrator
# wait for the relation to be torn down 
juju relate kafka-k8s data-integrator

The successful credential rotation can be confirmed by retrieving the new password with the action get-credentials

juju run data-integrator/leader get-credentials

Running the command should now output a different password:

Running operation 24 with 1 task
  - task 25 on unit-data-integrator-0

Waiting for task 25...
kafka:
  endpoints: kafka-k8s-0.kafka-k8s-endpoints:9092,kafka-k8s-1.kafka-k8s-endpoints:9092,kafka-k8s-2.kafka-k8s-endpoints:9092
  password: ToVfqYQ7tWmNmjy2tJTqulZHmJxJqQ22
  tls: disabled
  topic: test-topic
  username: relation-11
  zookeeper-uris: zookeeper-k8s-0.zookeeper-k8s-endpoints:2181,zookeeper-k8s-1.zookeeper-k8s-endpoints:2181,zookeeper-k8s-2.zookeeper-k8s-endpoints:2181/kafka-k8s
ok: "True"

To rotate external passwords with no or limited downtime, please refer to the how-to guide on app management.

Remove the user

To remove the user, remove the relation. Removing the relation automatically removes the user that was created when the relation was created. Enter the following to remove the relation:

juju remove-relation kafka-k8s data-integrator

The output of the Juju model should be something like this:

...
Model     Controller  Cloud/Region        Version  SLA          Timestamp
tutorial  microk8s    microk8s/localhost  3.1.5    unsupported  17:22:21+02:00

App              Version  Status   Scale  Charm            Channel  Rev  Address         Exposed  Message
data-integrator           blocked      1  data-integrator  stable    11  10.152.183.231  no       Please relate the data-integrator with the desired product
kafka-k8s                 active       3  kafka-k8s        3/beta    46  10.152.183.237  no
zookeeper-k8s             active       3  zookeeper-k8s    3/beta    37  10.152.183.134  no

Unit                Workload  Agent  Address     Ports  Message
data-integrator/0*  blocked   idle   10.1.36.42         Please relate the data-integrator with the desired product
kafka-k8s/0         active    idle   10.1.36.78
kafka-k8s/1         active    idle   10.1.36.80
kafka-k8s/2*        active    idle   10.1.36.79
zookeeper-k8s/0     active    idle   10.1.36.84
zookeeper-k8s/1*    active    idle   10.1.36.86
zookeeper-k8s/2     active    idle   10.1.36.85

Note The operations above would also apply to Charmed applications that implement the kafka_client relation, for which password rotation and user deletion can be achieved in the same consistent way.

What’s next?

In the next part, we will now see how easy it is to enable encryption across the board, to make sure no one is eavesdropping, sniffing or snooping your traffic by enabling TLS.

1 Like