Metadata Service Configuration Options

The broker configuration (in the server.properties file) must set authorizer.class.name to io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer to enable role-based access control (RBAC) and the Metadata Service (also known as the Confluent Server Authorizer).

To retain ACLs (that have already been enabled) and enable RBAC, set confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT.

For more details about how to configure RBAC, see the Configure Metadata Service (MDS).

RBAC supports the following Kafka configurations of the Metadata Service (MDS) back end, which you can override by using the prefixes specified below:

Configuration

confluent.metadata.server.listeners

Binds Metadata Service HTTP or HTTPS service to port.

  • Type: int
  • Default: 8090
confluent.metadata.server.advertised.listeners

Configures HTTP or HTTPS service advertised hostname.

  • Type: string
  • Default: null
confluent.metadata.server.token.auth.enable

(Required for LDAP) Enables JWT bearer authentication; in other words, it enables impersonation. When using RBAC, impersonation will not work unless you include this option.

  • Type: string
  • Default: true
confluent.metadata.server.token.max.lifetime.ms

Specifies a token’s maximum configured lifetime in milliseconds.

  • Type: int
  • Default: 3600000
confluent.metadata.server.token.key.path

Location of the PEM encoded public/private key pair to be used for signing and verifying tokens. Because the token service only supports RS256 signatures, key pairs must be generated using the RSA algorithm.

  • Type: string
  • Default: RS256
confluent.metadata.server.token.signature.algorithm

Signature scheme to be used when signing/verifying tokens as defined in (Algorithm) Header Parameter Values for JWS. Only RS256 is currently supported.

  • Type: string
  • Default: RS256

HTTPS configurations

Use the following attributes to configure MDS to allow connections over HTTPS.

confluent.metadata.server.ssl.keystore.location

The key store file location. This is optional for client and can be used for two-way authentication for client.

  • Type: string
  • Default: null
  • Importance: high
confluent.metadata.server.ssl.keystore.password

The key store file password. Optional for client, and only required if confluent.metadata.server.ssl.keystore.location is configured.

  • Type: password
  • Default: null
  • Importance: high
confluent.metadata.server.ssl.key.password

The private key password in the key store file. Optional for client.

  • Type: password
  • Default: null
  • Importance: high
confluent.metadata.server.ssl.truststore.location

The trust store file location.

  • Type: string
  • Default: null
  • Importance: high
confluent.metadata.server.ssl.truststore.password

The trust store file password. If a password is not set, access to the truststore is still available, but integrity checking is disabled.

  • Type: password
  • Default: null
  • Importance: high

The following is an example configuration for setting up HTTPS for MDS. Any content in brackets (<>) must be customized for your environment.

authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT
confluent.metadata.server.listeners=https://localhost:8090
confluent.metadata.server.advertised.listeners=https://localhost:8090

confluent.metadata.server.ssl.keystore.location=<path-to-keystore>
confluent.metadata.server.ssl.keystore.password=<host-keystore-password>
confluent.metadata.server.ssl.key.password=<host-cert-password>
confluent.metadata.server.ssl.truststore.location=<path-to-truststore>
confluent.metadata.server.ssl.truststore.password=<host-truststore-password>

When logging in to an MDS that is configured for HTTPS, most clients, including the Confluent CLI, automatically pick up trusted certificates from the system truststore. To use self-signed or custom certificates that are not part of the system truststore when using the Confluent CLI, see the --ca-cert-path option in confluent login.