Configuring RBAC for a Connect worker


Before configuring RBAC for Kafka Connect, read the white paper Role-Based Access Control (RBAC) for Kafka Connect. This white paper covers basic RBAC concepts and provides a deep dive into using RBAC with Kafka Connect and connectors. It also contains a link to a GitHub demo so you can see how it all works on a local Confluent Platform installation.

In an RBAC-enabled environment, several RBAC configuration lines need to be added to each Connect worker file. Refer to the following for information about what needs to be added to each Connect worker file.

  1. Add the following parameter to enable per-connector principals.

  2. Add the following parameters to enable the Connect framework to authenticate with Kafka using a service principal. The service principal is used by Connect to read from and write to internal configuration topics. Note that the <username> and <passsword> are the service principal username and password granted permissions when setting up the service principal.

    # Or SASL_SSL if using SSL
    sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler required \
      username="<username>" \
      password="<password>" \
  3. Add the following parameters to establish worker-wide default properties for each type of Kafka client used by connectors in the cluster.
  4. Add the following parameters to require user RBAC authentication to Connect. RBAC authentication is required to allow users to create connectors, read connector configurations, and delete connectors.

    # Adds the RBAC REST extension to the Connect worker
    # The location of a running metadata service
    # Credentials to use when communicating with the MDS<username>:<password>
  5. Add the following parameter to have Connect use basic authentication for user requests and token authentication for impersonated requests (for example, from REST proxy).
    # The path to a directory containing public keys that should be used to verify json web tokens
    # during authentication
    public.key.path=<public key path>

See Secret Registry if you are using a Secret Registry for connector credentials.