Configure Kerberos Authentication for Brokers Running MDS

Important

This feature is available as a preview feature. A preview feature is a component of Confluent Platform that is being introduced to gain early feedback from developers. This feature can be used for evaluation and non-production testing purposes or to provide feedback to Confluent.

This configuration describes how to combine LDAP authentication for MDS with Kerberos broker authentication, essentially combining the two authentication methods.

Prerequisites

• The prerequisites for configuring Kerberos authentication for MDS are the same as the prerequisites for configuring MDS. See Configure Metadata Service (MDS).
• Create a user for the Kafka broker.
• Generate the keytab. See Configuring GSSAPI.
• Create a PEM key pair.

Tip

You can store passwords and other configuration data securely by using the confluent secret commands. For more information see Secrets.

1. Add the following required configuration options to the etc.kafka.server.properties file. Any content in brackets (<>) must be customized for your environment.

   Note

   The LDAP configuration attributes in this example reflect a system using Active Directory (AD). If you use a different directory system, contact your LDAP administrator for details.

    ############################# Confluent Authorizer Settings #############################
    authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    confluent.authorizer.access.rule.providers=ACL,RBAC
    confluent.metadata.server.listeners=http://localhost:8090
    confluent.metadata.server.advertised.listeners=http://localhost:8090
    #### Semi-colon separated list of super users in the format <principalType>:<principalName> ####
    #### For example: super.users=User:admin;User:mds ####
    super.users=User:<org-super-user>;User:<org-kerberos-principal>
   
    ############################# Identity Provider Settings (LDAP) #############################
    #### JNDI Connection Settings ####
    ldap.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
    ldap.java.naming.provider.url=ldap://<hostname>:389
    ####  MDS Authentication Settings ####
    ldap.java.naming.security.principal=<mds-user-DN>
    ldap.java.naming.security.credentials=<password>
    ldap.java.naming.security.authentication=simple
    #### Client Authentication Settings ####
    ldap.user.search.base=<user-search-base-DN>
    ldap.user.name.attribute=sAMAccountName
    confluent.authorizer.group.provider=rbac
    ldap.group.search.base=CN=Users,DC=rbac,DC=confluent,DC=io
    ldap.group.object.class=group
    ldap.group.member.attribute.pattern=UID=(.*),OU=Users,DC=EXAMPLE,DC=COM
    ldap.user.object.class=account
   
    ############################# MDS Server Settings #############################
    confluent.metadata.server.authentication.method=BASIC
    confluent.metadata.server.authentication.roles=**
   
    ############################# MDS Token Service Settings #############################
    confluent.metadata.server.token.key.path=<path-to-tokenKeypair.pem>
    confluent.metadata.server.public.key.path=<path-to-public.pem>
   
    ############################# Listener Settings #############################
    listeners=INTERNAL_SASL_PLAINTEXT://:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://:9092
    advertised.listeners=INTERNAL_SASL_PLAINTEXT://localhost:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://localhost:9092
    inter.broker.listener.name=INTERNAL_SASL_PLAINTEXT
   
    ############################# Listener SASL Configuration Settings #############################
    listener.security.protocol.map=INTERNAL_SASL_PLAINTEXT:SASL_PLAINTEXT,EXTERNAL_RBAC_SASL_PLAINTEXT:SASL_PLAINTEXT
   
    ############################# Broker Internal Listener SASL Configuration Settings #############################
    sasl.mechanism.inter.broker.protocol=GSSAPI
    listener.name.internal_sasl_plaintext.sasl.enabled.mechanisms=GSSAPI
    listener.name.internal_sasl_plaintext.sasl.kerberos.service.name=kafka
    listener.name.internal_sasl_plaintext.gssapi.sasl.jaas.config = \
      com.sun.security.auth.module.Krb5LoginModule required \
      debug=true \
      useKeyTab=true \
      storeKey=true \
      keyTab="<path-to-your-keytab>" \
      principal="<org-kerberos-principal>"; (for example: kafka/kafka1.hostname.com@EXAMPLE.COM)
   
   ############################# Broker External (Client) Listener SASL Configuration Settings #############################
   listener.name.external_rbac_sasl_plaintext.sasl.enabled.mechanisms=OAUTHBEARER
   listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.jaas.config= \
     org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
     publicKeyPath="<path-to-your-public-key";
   listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler
   listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler
   

   For a description of the parameters, see:

   • Lines 2-8: Enables RBAC. For more information, see Configuring the Confluent Server Authorizer.
   • Lines 11-25: Configures LDAP so that RBAC can use it. For more information, see Configure LDAP Group-Based Authorization for MDS and Configure LDAP Authentication for MDS.
   • Lines 28-29: Defines listeners and configures HTTPs for brokers. For more information, see Metadata Service Configuration Options.
   • Lines 32-33: Defines private and public key configuration properties. For more information, see Metadata Service Configuration Options.
   • Lines 36-61: Enables SASL authentication and Kerberos authentication. For more information, see Authentication with SASL and Configuring GSSAPI.

2. Start Confluent Platform.