.. _kafka_sasl_auth_gssapi:

Configuring GSSAPI
------------------

SASL/GSSAPI Overview
~~~~~~~~~~~~~~~~~~~~

SASL/GSSAPI is for organizations using Kerberos (for example, by using Active 
Directory). You don't need to install a new server just for |ak-tm|. Ask your 
Kerberos administrator for a principal for each |ak| broker in your cluster and 
for every operating system user that will access |ak| with Kerberos authentication 
(via clients and tools).

If you don't already have a Kerberos server, your Linux vendor likely has packages 
for Kerberos and a short guide on how to install and configure it 
(`Ubuntu <https://help.ubuntu.com/community/Kerberos>`_, `Red Hat <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/installing-kerberos.html>`_). Note that if you are using Oracle Java, you must download JCE policy files for your Java version and copy them to ``$JAVA_HOME/jre/lib/security``. You must create these principals yourself using the following commands:

.. codewithvars:: bash

   sudo /usr/sbin/kadmin.local -q 'addprinc -randkey kafka/{hostname}@{REALM}'
   sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{keytabname}.keytab kafka/{hostname}@{REALM}"

It is a Kerberos requirement that all your hosts can be resolved with their 
fully-qualified domain names (FQDNs).

The remainder of this page will show you how to configure SASL/GSSAPI for each 
component in the Confluent Platform.

GSSAPI Logging
^^^^^^^^^^^^^^

To enable SASL/GSSAPI debug output, you can set the ``sun.security.krb5.debug`` 
system property to ``true``. For example:

.. codewithvars:: bash

      export KAFKA_OPTS=-Dsun.security.krb5.debug=true
      bin/kafka-server-start etc/kafka/server.properties

.. include:: ../../includes/installation-types-zip-tar.rst

.. _sasl_gssapi_broker:

Brokers
~~~~~~~

.. include:: ../includes/intro_brokers.rst

* :ref:`Confluent Metrics Reporter <sasl_gssapi_metrics-reporter>`

.. _jaas-config:

JAAS
^^^^

.. include:: ../includes/auth_sasl_gssapi_broker_jaas.rst

.. _auth-sasl-gssapi-config:

Configuration
^^^^^^^^^^^^^
.. include:: ../includes/auth_sasl_gssapi_broker_config.rst

Run
^^^
.. include:: ../includes/auth_sasl_gssapi_broker_run.rst

Clients
~~~~~~~

.. include:: ../includes/intro_clients.rst

.. include:: ../includes/auth_sasl_gssapi_client_config.rst

|zk|
~~~~

This sections describes how to configure |zk| so that brokers can use SASL/GSSAPI 
to authenticate to it.

.. include:: ../includes/intro_zk.rst

.. _zookeeper-jaas:

JAAS
^^^^
.. include:: ../includes/auth_sasl_gssapi_zk_jaas.rst

You must make a corresponding `Client` section in each :ref:`broker's JAAS file <sasl_gssapi_broker>`.

.. _zookeeper-configuration:

Configuration
^^^^^^^^^^^^^
.. include:: ../includes/auth_sasl_gssapi_zk_config.rst

.. _zookeeper-run:

Run
^^^
.. include:: ../includes/auth_sasl_gssapi_zk_run.rst

.. _sasl_gssapi_connect-workers:

|kconnect-long|
~~~~~~~~~~~~~~~

.. include:: ../includes/intro_connect.rst

* :ref:`Confluent Monitoring Interceptors <sasl_gssapi_interceptors>`
* :ref:`Confluent Metrics Reporter <sasl_gssapi_metrics-reporter>`

.. include:: ../includes/auth_sasl_gssapi_connect-workers_config.rst

.. _sasl_gssapi_replicator:

|crep-full|
~~~~~~~~~~~

.. include:: ../includes/intro_replicator.rst

* :ref:`Kafka Connect <sasl_gssapi_connect-workers>`

.. include:: ../includes/auth_sasl_gssapi_replicator_config.rst

|c3|
~~~~

.. include:: ../includes/intro_c3.rst

* :ref:`Confluent Metrics Reporter <sasl_gssapi_metrics-reporter>`: required on the production cluster being monitored
* :ref:`Confluent Monitoring Interceptors <sasl_gssapi_interceptors>`: optional if you are using |c3-short| streams monitoring

.. include:: ../includes/auth_sasl_gssapi_c3_config.rst

.. _sasl_gssapi_metrics-reporter:

|cmetric-full|
~~~~~~~~~~~~~~

.. include:: ../includes/intro_metrics-reporter.rst

.. include:: ../includes/auth_sasl_gssapi_metrics-reporter_config.rst

.. _sasl_gssapi_interceptors:

Confluent Monitoring Interceptors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. include:: ../includes/intro_interceptors.rst

Interceptors for General Clients
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. include:: ../includes/auth_sasl_gssapi_interceptors_config.rst

Interceptors for |kconnect-long|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. include:: ../includes/auth_sasl_gssapi_interceptors-connect-workers_config.rst

Interceptors for Replicator
^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. include:: ../includes/auth_sasl_gssapi_interceptors-replicator_config.rst

|sr|
~~~~

.. include:: ../includes/intro_sr.rst

.. include:: ../includes/auth_sasl_gssapi_sr_config.rst

REST Proxy
~~~~~~~~~~~

Securing Confluent REST Proxy for SASL requires that you configure security between 
the REST proxy and the |ak| cluster.

You may also refer to the complete list of `REST Proxy SASL configuration options 
<https://docs.confluent.io/current/kafka-rest/docs/config.html#configuration-options-for-sasl-authentication-between-rest-proxy-and-apache-kafka-brokers>`_.

.. include:: ../includes/auth_sasl_gssapi_rest_config.rst