Prefixes for Configuring Security

Configuration Parameters

Each component and many areas of functionality (for example, audit logging) in Confluent Platform can be configured for security. This table shows what prefixes are used for security configuration properties and where to configure them.

Important

Secrets config.providers do not propagate to prefixes such as client.*. Thus, when using prefixes with secrets you must specify config.providers and config.providers.securepass.class. Refer to Using prefixes in secrets configurations for details.

Security Configuration Prefix Where to Configure
Audit logging confluent.security.event. etc/kafka/server.properties
Broker none etc/kafka/server.properties
Broker LDAP configurations ldap. etc/kafka/server.properties
Broker Metadata Service (MDS) back-end configurations confluent.metadata. etc/kafka/server.properties
Metadata Service (MDS) configurations confluent.metadata.server. etc/kafka/server.properties
Console Clients none client properties (for example, producer.config or consumer.config)
Connect workers none, producer., consumer., or admin. etc/kafka/connect-distributed.properties
Control Center confluent.controlcenter.streams. confluent.controlcenter.connect. confluent.controlcenter.ksql. etc/confluent-control-center/control-center.properties
Java Clients

Java clients use static parameters defined in the Javadoc:

SslConfigs or SaslConfigs in Properties class
Metrics Reporter confluent.metrics.reporter. etc/kafka/server.properties
Monitoring Interceptors in clients confluent.monitoring.interceptor. client properties, e.g. producer.config or consumer.config
Monitoring Interceptors in Connect producer.confluent.monitoring.interceptor. consumer.confluent.monitoring.interceptor. etc/kafka/connect-distributed.properties
Monitoring Interceptors in Replicator src.consumer.confluent.monitoring.interceptor. connector JSON file (not the worker properties file)
Rebalancer confluent.rebalancer.metrics. Pass configuration (e.g. rebalance-metrics-client.properties) using --config-file
Replicator
  • dest.kafka.
  • src.kafka.
connector JSON file (not the worker properties file)
REST Proxy client. etc/kafka/kafka-rest.properties
Schema Registry kafkastore. etc/schema-registry/schema-registry.properties
ZooKeeper none etc/kafka/zookeeper.properties

Environment Variables for Configuring HTTPS

If a component in Confluent Platform needs to connect to a service using HTTPS, for example to an HTTPS-enabled Confluent Schema Registry, you may need to configure the TLS/SSL credentials for that HTTPS connection. This table shows for each component, the name of the environment variable to configure with TLS/SSL credentials for those HTTPS connections.

Component Environment Variable
Broker KAFKA_OPTS
Console Clients KAFKA_OPTS
ksqlDB KSQL_OPTS
Connect workers KAFKA_OPTS
Confluent Rebalancer REBALANCER_OPTS
Control Center CONTROL_CENTER_OPTS
Schema Registry SCHEMA_REGISTRY_OPTS
REST Proxy KAFKAREST_OPTS

Additional Environment Variables

If you are using the Schema Registry ACL Authorizer with SASL, pass in the JAAS configuration file using the SECURITY_PLUGINS_OPTS environment variable before calling sr-acl-cli.

export SECURITY_PLUGINS_OPTS=-Djava.security.auth.login.config=/etc/schema-registry/kafka_client_jaas.conf