Prefixes for Configuring Security¶
Configuration Parameters¶
Each component in Confluent Platform can be configured for security. This table shows for each component, what the prefix is for security configuration properties and where to configure the property.
Important
Secrets config.providers do not propagate to prefixes such as client.*.
Thus, when using prefixes with secrets you must specify config.providers
and config.providers.securepass.class. Refer to Using prefixes in secrets configurations for details.
| Component | Prefix | Where to Configure |
|---|---|---|
| Broker | none | etc/kafka/server.properties |
| Broker LDAP configurations | ldap. |
etc/kafka/server.properties |
| Broker Metadata Service (MDS) back-end configurations | confluent.metadata. |
etc/kafka/server.properties |
| Metadata Service (MDS) configurations | confluent.metadata.server. |
etc/kafka/server.properties |
| Console Clients | none | client properties (for example, producer.config or consumer.config) |
| Connect workers | none, producer., consumer., or admin. |
etc/kafka/connect-distributed.properties |
| Control Center | confluent.controlcenter.streams.
confluent.controlcenter.connect.
confluent.controlcenter.ksql. |
etc/confluent-control-center/control-center.properties |
| Java Clients | Java clients use static parameters defined in the Javadoc: |
SslConfigs or SaslConfigs in Properties class |
| Metrics Reporter | confluent.metrics.reporter. |
etc/kafka/server.properties |
| Monitoring Interceptors in clients | confluent.monitoring.interceptor. |
client properties, e.g. producer.config or consumer.config |
| Monitoring Interceptors in Connect | producer.confluent.monitoring.interceptor.
consumer.confluent.monitoring.interceptor. |
etc/kafka/connect-distributed.properties |
| Monitoring Interceptors in Replicator | src.consumer.confluent.monitoring.interceptor. |
connector JSON file (not the worker properties file) |
| Rebalancer | confluent.rebalancer.metrics. |
Pass configuration (e.g. rebalance-metrics-client.properties) using --config-file |
| Replicator |
|
connector JSON file (not the worker properties file) |
| REST Proxy | client. |
etc/kafka/kafka-rest.properties |
| Schema Registry | kafkastore. |
etc/schema-registry/schema-registry.properties |
| ZooKeeper | none | etc/kafka/zookeeper.properties |
Environment Variables for Configuring HTTPS¶
If a component in Confluent Platform needs to connect to a service using HTTPS, for example to an HTTPS-enabled Confluent Schema Registry, you may need to configure the SSL credentials for that HTTPS connection. This table shows for each component, the name of the environment variable to configure with SSL credentials for those HTTPS connections.
| Component | Environment Variable |
|---|---|
| Broker | KAFKA_OPTS |
| Console Clients | KAFKA_OPTS |
| KSQL | KSQL_OPTS |
| Connect workers | KAFKA_OPTS |
| Confluent Rebalancer | REBALANCER_OPTS |
| Control Center | CONTROL_CENTER_OPTS |
| Schema Registry | SCHEMA_REGISTRY_OPTS |
| REST Proxy | KAFKAREST_OPTS |
Additional Environment Variables¶
If you are using the Schema Registry ACL Authorizer with SASL,
pass in the JAAS configuration file using the SECURITY_PLUGINS_OPTS environment
variable before calling sr-acl-cli.
export SECURITY_PLUGINS_OPTS=-Djava.security.auth.login.config=/etc/schema-registry/kafka_client_jaas.conf