.. _kafka_sasl_auth_gssapi: Configuring GSSAPI ------------------ SASL/GSSAPI Overview ~~~~~~~~~~~~~~~~~~~~ SASL/GSSAPI is for organizations using Kerberos (for example, by using Active Directory). You don't need to install a new server just for |ak-tm|. Ask your Kerberos administrator for a principal for each |ak| broker in your cluster and for every operating system user that will access |ak| with Kerberos authentication (via clients and tools). If you don't already have a Kerberos server, your Linux vendor likely has packages for Kerberos and a short guide on how to install and configure it (`Ubuntu `_, `Red Hat `_). Note that if you are using Oracle Java, you must download JCE policy files for your Java version and copy them to ``$JAVA_HOME/jre/lib/security``. You must create these principals yourself using the following commands: .. codewithvars:: bash sudo /usr/sbin/kadmin.local -q 'addprinc -randkey kafka/{hostname}@{REALM}' sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{keytabname}.keytab kafka/{hostname}@{REALM}" It is a Kerberos requirement that all your hosts can be resolved with their fully-qualified domain names (FQDNs). The remainder of this page will show you how to configure SASL/GSSAPI for each component in the Confluent Platform. GSSAPI Logging ^^^^^^^^^^^^^^ To enable SASL/GSSAPI debug output, you can set the ``sun.security.krb5.debug`` system property to ``true``. For example: .. codewithvars:: bash export KAFKA_OPTS=-Dsun.security.krb5.debug=true bin/kafka-server-start etc/kafka/server.properties .. include:: ../../includes/installation-types-zip-tar.rst .. _sasl_gssapi_broker: Brokers ~~~~~~~ .. include:: ../includes/intro_brokers.rst * :ref:`Confluent Metrics Reporter ` .. _jaas-config: JAAS ^^^^ .. include:: ../includes/auth_sasl_gssapi_broker_jaas.rst .. _auth-sasl-gssapi-config: Configuration ^^^^^^^^^^^^^ .. include:: ../includes/auth_sasl_gssapi_broker_config.rst Run ^^^ .. include:: ../includes/auth_sasl_gssapi_broker_run.rst Clients ~~~~~~~ .. include:: ../includes/intro_clients.rst .. include:: ../includes/auth_sasl_gssapi_client_config.rst |zk| ~~~~ This sections describes how to configure |zk| so that brokers can use SASL/GSSAPI to authenticate to it. .. include:: ../includes/intro_zk.rst .. _zookeeper-jaas: JAAS ^^^^ .. include:: ../includes/auth_sasl_gssapi_zk_jaas.rst You must make a corresponding `Client` section in each :ref:`broker's JAAS file `. .. _zookeeper-configuration: Configuration ^^^^^^^^^^^^^ .. include:: ../includes/auth_sasl_gssapi_zk_config.rst .. _zookeeper-run: Run ^^^ .. include:: ../includes/auth_sasl_gssapi_zk_run.rst .. _sasl_gssapi_connect-workers: |kconnect-long| ~~~~~~~~~~~~~~~ .. include:: ../includes/intro_connect.rst * :ref:`Confluent Monitoring Interceptors ` * :ref:`Confluent Metrics Reporter ` .. include:: ../includes/auth_sasl_gssapi_connect-workers_config.rst .. _sasl_gssapi_replicator: |crep-full| ~~~~~~~~~~~ .. include:: ../includes/intro_replicator.rst * :ref:`Kafka Connect ` .. include:: ../includes/auth_sasl_gssapi_replicator_config.rst |c3| ~~~~ .. include:: ../includes/intro_c3.rst * :ref:`Confluent Metrics Reporter `: required on the production cluster being monitored * :ref:`Confluent Monitoring Interceptors `: optional if you are using |c3-short| streams monitoring .. include:: ../includes/auth_sasl_gssapi_c3_config.rst .. _sasl_gssapi_metrics-reporter: |cmetric-full| ~~~~~~~~~~~~~~ .. include:: ../includes/intro_metrics-reporter.rst .. include:: ../includes/auth_sasl_gssapi_metrics-reporter_config.rst .. _sasl_gssapi_interceptors: Confluent Monitoring Interceptors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. include:: ../includes/intro_interceptors.rst Interceptors for General Clients ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. include:: ../includes/auth_sasl_gssapi_interceptors_config.rst Interceptors for |kconnect-long| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. include:: ../includes/auth_sasl_gssapi_interceptors-connect-workers_config.rst Interceptors for Replicator ^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. include:: ../includes/auth_sasl_gssapi_interceptors-replicator_config.rst |sr| ~~~~ .. include:: ../includes/intro_sr.rst .. include:: ../includes/auth_sasl_gssapi_sr_config.rst REST Proxy ~~~~~~~~~~~ Securing Confluent REST Proxy for SASL requires that you configure security between the REST proxy and the |ak| cluster. You may also refer to the complete list of `REST Proxy SASL configuration options `_. .. include:: ../includes/auth_sasl_gssapi_rest_config.rst