Configure Kerberos Authentication for Brokers Running MDS

This configuration describes how to combine LDAP authentication for MDS with Kerberos broker authentication, essentially combining the two authentication methods.

Prerequisites

Tip

You can store passwords and other configuration data securely by using the confluent secret commands. For more information see Secrets.

  1. Add the following required configuration options to the etc.kafka.server.properties file. Any content in brackets (<>) must be customized for your environment.

    Note

    The LDAP configuration attributes in this example reflect a system using Active Directory (AD). If you use a different directory system, contact your LDAP administrator for details.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
     ############################# Confluent Authorizer Settings #############################
     authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
     confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT
     confluent.metadata.server.listeners=http://0.0.0.0:8090
     confluent.metadata.server.advertised.listeners=http://localhost:8090
     #### Semi-colon separated list of super users in the format <principalType>:<principalName> ####
     #### For example: super.users=User:admin;User:mds ####
     super.users=User:<org-super-user>;User:<org-kerberos-principal>
    
     ############################# Identity Provider Settings (LDAP) #############################
     #### JNDI Connection Settings ####
     ldap.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
     ldap.java.naming.provider.url=ldap://<hostname>:389
     ####  MDS Authentication Settings ####
     ldap.java.naming.security.principal=<mds-user-DN>
     ldap.java.naming.security.credentials=<password>
     ldap.java.naming.security.authentication=simple
     #### Client Authentication Settings ####
     ldap.user.search.base=<user-search-base-DN>
     ldap.user.name.attribute=sAMAccountName
     ldap.group.search.base=CN=Users,DC=rbac,DC=confluent,DC=io
     ldap.group.object.class=group
     ldap.group.member.attribute.pattern=UID=(.*),OU=Users,DC=EXAMPLE,DC=COM
     ldap.user.object.class=account
    
     ############################# MDS Server Settings #############################
     confluent.metadata.server.authentication.method=BEARER
    
     ############################# MDS Token Service Settings #############################
     confluent.metadata.server.token.key.path=<path-to-token-key-pair.pem>
    
     ############################# Listener Settings #############################
     listeners=INTERNAL_SASL_PLAINTEXT://:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://:9092
     advertised.listeners=INTERNAL_SASL_PLAINTEXT://localhost:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://localhost:9092
     inter.broker.listener.name=INTERNAL_SASL_PLAINTEXT
    
     ############################# Listener SASL Configuration Settings #############################
     listener.security.protocol.map=INTERNAL_SASL_PLAINTEXT:SASL_PLAINTEXT,EXTERNAL_RBAC_SASL_PLAINTEXT:SASL_PLAINTEXT
    
     ############################# Broker Internal Listener SASL Configuration Settings #############################
     sasl.mechanism.inter.broker.protocol=GSSAPI
     listener.name.internal_sasl_plaintext.sasl.enabled.mechanisms=GSSAPI
     listener.name.internal_sasl_plaintext.sasl.kerberos.service.name=kafka
     listener.name.internal_sasl_plaintext.gssapi.sasl.jaas.config = \
       com.sun.security.auth.module.Krb5LoginModule required \
       debug=true \
       useKeyTab=true \
       storeKey=true \
       keyTab="<path-to-your-keytab>" \
       principal="<org-kerberos-principal>"; (for example: kafka/kafka1.hostname.com@EXAMPLE.COM)
    
    ############################# Broker External (Client) Listener SASL Configuration Settings #############################
    listener.name.external_rbac_sasl_plaintext.sasl.enabled.mechanisms=OAUTHBEARER
    listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.jaas.config= \
      org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
      publicKeyPath="<path-to-your-public-key";
    listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler
    listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler
    

    For a description of the parameters, see:

  2. Start Confluent Platform.