Re: [PR] [helm] Enable SASL authentication configurations [fluss]

Mon, 16 Feb 2026 06:43:18 -0800 


morazow commented on code in PR #2506:
URL: https://github.com/apache/fluss/pull/2506#discussion_r2812756928


##########
website/docs/install-deploy/deploying-with-helm.md:
##########
@@ -245,16 +250,47 @@ The chart automatically configures listeners for internal 
cluster communication
 - **Internal Port (9123)**: Used for internal communication within the cluster
 - **Client Port (9124)**: Used for client connections
 
-Custom listener configuration:
+Default listeners configuration:
 
 ```yaml
 listeners:
   internal:
+    protocol: PLAINTEXT
     port: 9123
   client:
+    protocol: PLAINTEXT
     port: 9124
 ```
 
+To enable SASL based authentication, set any of the protocols to `SASL`.
+
+### Enabling Secure Connection
+
+With the helm deployment, you can specify authentication protocols when 
connecting to the Fluss cluster.
+
+The following table shows the supported protocols and security they provide:
+
+| Method      | Authentication | TLS Encryption     |
+|-------------|:--------------:|:------------------:|
+| `PLAINTEXT` | No             | No                 |
+| `SASL`      | Yes            | No                 |
+
+By default, the `PLAINTEXT` protocol is used.
+
+The SASL authentication will be enabled if any of the listener protocols is 
using `SASL`.
+
+Set these values for additional configurations:
+
+```yaml
+security:
+  sasl_plain:
+    users:
+      - username: admin
+        password: password
+```
+
+The `security.sasl_plain.users` field defines the list of usernames and 
passwords for SASL/PLAIN authentication. When the internal listener protocol 
uses SASL, the first user in the list is used for internal client 
authentication. The authentication mechanism is fixed to `PLAIN`.

Review Comment:
   Hey @xx789633, @affo 
   
   I have looked into this. But I think we should address it in the separate 
PR, because seems it would require change in the core fluss also.
   
   ### Context
   
   With multiple separate SASL communications, we would have to prefix JAAS 
configurations for `FlussServer` and `FlussClient` with, for example, listener 
name. E.g, `internal.FlussServer { ... }`.
   
   This work at the moment for the server side. 
   
   But client side needs change in the core.
   
   Loading of the client JAAS context doesn't consider the prefixed listener 
names: 
https://github.com/apache/fluss/blob/main/fluss-common/src/main/java/org/apache/fluss/security/auth/sasl/jaas/JaasContext.java#L163



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to