Authenticating and connecting to a database using the Kafka API
Endpoint
The Kafka API endpoint is displayed in the management console
The endpoint has the following format: <FQDN_YDB>:PORT
. For example, ydb-01.serverless.yandexcloud.net:9093
.
Prerequisites
To authenticate, take these steps:
- Create a service account.
- Assign roles to the service account:
- For reading from a data stream:
ydb.kafkaApi.client
andydb.viewer
. - For writing to a data stream:
ydb.kafkaApi.client
andydb.editor
.
- For reading from a data stream:
- Create an API key with the
yc.ydb.topics.manage
scope.
Authentication
The Kafka API uses the SASL_SSL/PLAIN
The following parameters are required:
-
<database>
: Database path. The database path is displayed in the management console afterdatabase=
in the Endpoint field on the Overview tab.For example, in the
grpcs://ydb.serverless.yandexcloud.net:2135/?database=/ru-central1/b1gia87mbaomkfvs6rgl/etnudu2n9ri35luqe4h1
endpoint,/ru-central1/b1gia87mbaomkfvs6rgl/etnudu2n9ri35luqe4h1
is the database path. -
<api-key>
: API key.
Parameters used for authentication when reading and writing messages:
<sasl.username>
=@<database>
(Note that you need to put@
before the path to the database)<sasl.password>
=<api-key>
Example of writing and reading a message
The example uses the following parameters:
-
Install an SSL certificate:
mkdir -p /usr/local/share/ca-certificates/Yandex/ && \ wget "https://crls.yandex.net/YandexInternalRootCA.crt" \ --output-document /usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt && \ chmod 0655 /usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt
The certificate will be saved to the
/usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt
file. -
Install the
kcat
utility, which is an open source app that can function as a universal data producer or consumer:sudo apt-get install kafkacat
-
Run this command to get messages from the stream:
kcat -C \ -b <kafka-api-endpoint> \ -t <stream-name> \ -X security.protocol=SASL_SSL \ -X sasl.mechanism=PLAIN \ -X sasl.username="<sasl.username>" \ -X sasl.password="<sasl.password>" \ -X ssl.ca.location=/usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt -Z
The command will continuously read new messages from the stream.
-
In a separate terminal, run this command to send a message to the stream:
echo "test message" | kcat -P \ -b <kafka-api-endpoint> \ -t <stream-name> \ -k key \ -X security.protocol=SASL_SSL \ -X sasl.mechanism=PLAIN \ -X sasl.username="<sasl.username>" \ -X sasl.password="<sasl.password>" \ -X ssl.ca.location=/usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt -Z
For core information on how to work with Data Streams using the Kafka API, see the YDB documentation