.. _rbac_token_auth: Configuring Token Authentication ================================ The `OAuth 2 Authorization Framework `__ "enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf." The SASL OAUTHBEARER mechanism enables the use of the framework in a SASL (non-HTTP) context; it is defined in `RFC 7628 `__. The default OAUTHBEARER implementation in |ak-tm| creates and validates `Unsecured JSON Web Tokens `__ and is only suitable for use in non-production |ak| installations. In addition to |ak| clients, neither the :ref:`Confluent Metrics Reporter ` nor interbroker protocols should use ``OAUTHBEARER``. MDS extends upon this with the introduction of cryptographically signed tokens, which allow services to communicate proof of authentication for a user without forwarding along user secrets. Cryptographically signed tokens provide the most suitable solution. For details about MDS configuration, see :ref:`rbac-mds-config`. .. include:: ../../kafka/includes/oauthbearer-warning.rst .. _security_sasl_rbac_oauthbearer_brokerconfig: Configuring |ak| Brokers ------------------------ #. Configure SASL port and SASL mechanisms in :litwithvars:`|ak_props|` as described :ref:`here `. Note that in the following example, the listener name can be any name you choose, but here it is named ``RBAC``. For example: .. code-block:: text # Add named listener RBAC to existing listeners and advertised.listeners listeners=RBAC://:9092,existing_listener://:9093 advertised.listeners=RBAC://localhost:9092,existing_listener://localhost:9093 # Add protocol mapping for newly-added named listener RBAC listener.security.protocol.map=existinglistener:existingsecurity,RBAC:SASL_PLAINTEXT (or SASL_SSL if production) listener.name.rbac.sasl.enabled.mechanisms=OAUTHBEARER # Configure the public key used to verify RBAC Metadata Service signatures # username, password and metadataServerUrls must be set if used for interbroker communication listener.name.rbac.oauthbearer.sasl.jaas.config= \ org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ publicKeyPath=““; # Set SASL callback handler to verify authentication token signatures listener.name.rbac.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler # Set interbroker protocol to SASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=PLAIN security.inter.broker.protocol=SASL_PLAINTEXT #. Configure ``OAuthBearerLoginModule`` callback handlers for verifying client tokens. .. code-block:: java sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler For details on the token listener configuration options shown above, refer to :ref:`mds-token-service-settings`. .. _security_sasl_rbac_oauthbearer_srconfig: Configuring |sr-long| --------------------- Configure the login service with bearer token authentication in your :litwithvars:`|sr_props|`. For more information, see :ref:`schemaregistry_rbac`. For example: .. code-block:: java // Replace all text between ``<>`` with appropriate values. resource.extension.class=io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension confluent.schema.registry.authorizer.class=io.confluent.kafka.schemaregistry.security.authorizer.rbac.RbacAuthorizer rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler confluent.schema.registry.auth.mechanism=JETTY_AUTH confluent.metadata.bootstrap.server.urls=://: confluent.metadata.http.auth.credentials.provider=BASIC confluent.metadata.basic.auth.user.info=: confluent.metadata.public.key.path= .. _security_sasl_rbac_oauthbearer_rpconfig: Configuring |crest-long| ------------------------ Configure the login service with bearer token authentication in your :litwithvars:`|crest_props|`. For more information, see :ref:`rbac-rest-proxy-security`. For example: .. code-block:: java // Replace all text between ``<>`` with appropriate values. kafka.rest.resource.extension.class=io.confluent.kafkarest.security.KafkaRestSecurityResourceExtension rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler confluent.metadata.bootstrap.server.urls=://: confluent.metadata.http.auth.credentials.provider=BASIC confluent.metadata.basic.auth.user.info=: confluent.metadata.public.key.path= client.security.protocol=SASL_PLAINTEXT .. _security_sasl_rbac_oauthbearer_connectconfig: Configuring |kconnect-long| --------------------------- Configure the login service with bearer token authentication in your :litwithvars:`|kconnect_props|`. For more information, see :ref:`connect-rbac-index`. For example: .. code-block:: java // Replace all text between ``<>`` with appropriate values. rest.extension.classes=io.confluent.connect.security.ConnectSecurityExtension rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler confluent.metadata.bootstrap.server.urls=://: confluent.metadata.http.auth.credentials.provider=BASIC confluent.metadata.basic.auth.user.info=: public.key.path= .. _security_sasl_rbac_oauthbearer_ksqlconfig: Configuring |ksqldb| -------------------- Configure the login service with bearer token authentication in your :litwithvars:`|cksql_props|`. For more information, see :ref:`ksql-rbac`. For example: .. code-block:: java // Replace all text between ``<>`` with appropriate values. ksql.security.extension.class=io.confluent.ksql.security.KsqlConfluentSecurityExtension ksql.authentication.plugin.class=io.confluent.ksql.security.VertxBearerOrBasicAuthenticationPlugin confluent.metadata.bootstrap.server.urls=://: confluent.metadata.http.auth.credentials.provider=BASIC confluent.metadata.basic.auth.user.info=: public.key.path=/path/to/public-pem-key .. _security_sasl_rbac_oauthbearer_c3config: Configuring |c3| ---------------- Configure the login service with bearer token authentication in your :litwithvars:`|c3_props|`. For more information, see :ref:`controlcenter_security_rbac`. For example: .. code-block:: java // Replace all text between ``<>`` with appropriate values. confluent.controlcenter.rest.authentication.method=BEARER confluent.controlcenter.streams.security.protocol=SASL_PLAINTEXT (or SASL_SSL if production) confluent.controlcenter.auth.bearer.public.key.path=/etc/confluent-control-center/public.pem confluent.controlcenter.metadata.username= confluent.controlcenter.metadata.password= confluent.controlcenter.metadata.urls=://: .. _security_sasl_rbac_oauthbearer_clientconfig: Configuring |ak| Clients ------------------------ .. important:: If you are configuring |ak| clients for the |sr| or |crest| security plugins, you must prefix each parameter with ``confluent.license``. For example, ``security.protocol`` becomes ``confluent.license.security.protocol``. For additional information, see :ref:`kafka-rest-and-sasl-ssl-configs`. To configure SASL authentication on the clients: #. Configure the JAAS configuration property for each client in producer.properties or consumer.properties. The login module describes how the clients like producer and consumer can connect to the |ak| Broker. The following is an example configuration for a client for the OAUTHBEARER mechanisms: :: // Replace all text between ``<>`` with appropriate values sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ username="" \ password="" \ metadataServerUrls="://:"; .. include:: ../../kafka/includes/oauthbearer-warning.rst #. Configure clients with the following properties (either in client ``properties`` files, code, or flags; for example, ``--producer-property`` flag on ``kafka-console-producer``): .. code-block:: java security.protocol=SASL_SSL (or SASL_PLAINTEXT if non-production) sasl.mechanism=OAUTHBEARER sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler #. The default implementation of SASL/OAUTHBEARER depends on the jackson-databind library. Because it's an optional dependency, you must configure it as a dependency in your build tool. .. _security_sasl_rbac_oauthbearer_refresh: Token Refresh for SASL/OAUTHBEARER ---------------------------------- |ak| periodically refreshes any token before it expires so that the client can continue to make connections to brokers. The parameters that impact how the refresh algorithm operates are specified as part of the producer/consumer/broker configuration and are as follows. The default values should not need to be explicitly set. +-------------------------------------------------+-------------------+ | Producer/Consumer/Broker Configuration Property | Default | +=================================================+===================+ | ``sasl.login.refresh.window.factor`` | .8 | +-------------------------------------------------+-------------------+ | ``sasl.login.refresh.window.jitter`` | .05 | +-------------------------------------------------+-------------------+ | ``sasl.login.refresh.min.period.seconds`` | 60 | +-------------------------------------------------+-------------------+ | ``sasl.login.refresh.min.buffer.seconds`` | 300 | +-------------------------------------------------+-------------------+ .. _security_sasl_rbac_oauthbearer_security: Security Considerations for SASL/OAUTHBEARER -------------------------------------------- - OAUTHBEARER should be used in production environments only with TLS-encryption to prevent interception of tokens. - For more details on OAuth 2 security considerations in general, refer to `RFC 6749, Section 10 `__.