Important

You are viewing documentation for an older version of Confluent Platform. For the latest, click here.

Configuring the Confluent Server Authorizer

To view configuration details about role-based access control (RBAC), see:

• Configuring RBAC
• Configure Metadata Service (MDS)

Configuration Overview

To enable authorization using the Confluent Server Authorizer, the broker configuration (in the server.properties file) must set authorizer.class.name to io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer:

authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer

The following configuration options are also processed by the Confluent Server Authorizer.

super.users

Semicolon-separated list of principals of super users or super groups who are allowed access to all of the resources for all actions on all hosts. If a resource has no ACLs associated with it, then only super users can access the resource. For an example of how to set this, see Configure Brokers.

• Type: string
• Default: “”
• Importance: medium

allow.everyone.if.no.acl.found

Boolean flag that indicates whether or not everyone is allowed access to a resource if no ACL is found for the user principal or any of the groups to which the user belongs.

• Type: boolean
• Default: false
• Importance: medium

broker.users

Semicolon-separated list of principals of users who are allowed access to all resources on inter-broker listeners. Unlike super.users, broker.users only allows requests originating from inter-broker listeners. The primary purpose of this option is to bootstrap MDS clusters when using the centralized ACL feature.

• Type: string
• Default: “”
• Importance: medium

confluent.license

Confluent issues a license key to each subscriber. The license key is a short snippet of text that you can copy and paste. Without the license key, you can use Confluent security plugins for a 30-day trial period. If you are a subscriber and don’t have a license key, please contact Confluent Support at support@confluent.io.

• Type: string
• Default: “”
• Importance: high

confluent.authorizer.access.rule.providers

List of access rule providers that are enabled. Supported access rule providers are CONFLUENT and ZK_ACL. The ACL-based provider is enabled by default.

• Type: list
• Default: ZK_ACL
• Importance: medium

confluent.authorizer.init.timeout.ms

The number of milliseconds to wait for the Authorizer to start up and initialize any metadata from Kafka topics. On brokers of the cluster hosting metadata topics, inter-broker listeners will be started prior to initialization of Authorizer metadata from Kafka topics.

• Type: int
• Default: 600000 [0,…]
• Importance: low

confluent.http.server.listeners

Use to specify, disable, or change the HTTP listener in the broker for local metadata service and local clusters. This option only applies when MDS is not hosted on this broker. If this broker hosts an embedded HTTP server plugin for metadata that is related to the local cluster, specify a comma-separated list of listener URLs for HTTP server. To bind to all interfaces, specify hostname as 0.0.0.0. Examples of valid listeners are https://0.0.0.0:8090 and http://127.0.0.1:8091. To disable the broker’s HTTP listener, set to a blank value. By default Confluent Server always enables an HTTP metadata listener on port 8090.

• Type: int
• Default: https://0.0.0.0:8090
• Importance: medium