.. _connect-rbac-workers: Configure |rbac| for a |kconnect| Worker ------------------------------------------- .. tip:: Before configuring RBAC for |kconnect-long|, read the white paper `Role-Based Access Control (RBAC) for Kafka Connect `__. This white paper covers basic RBAC concepts and provides a deep dive into using RBAC with |kconnect-long| and connectors. It also contains a link to a GitHub demo so you can see how it all works on a local |cp| installation. In an |rbac|-enabled environment, several |rbac| configuration lines need to be added to each |kconnect| worker file. Refer to the following for information about what needs to be added to each |kconnect| worker file. #. Add the following parameter to enable per-connector principals. :: connector.client.config.override.policy=All #. Add the following parameters to enable the |kconnect| framework to authenticate with |ak| using a :ref:`service principal `. The |rbac-sa| is used by |kconnect| to read from and write to internal configuration topics. Note that the ```` and ```` are the |rbac-sa| username and password granted permissions when setting up the :ref:`service principal `. :: # Or SASL_SSL if using TLS/SSL security.protocol=SASL_PLAINTEXT sasl.mechanism=OAUTHBEARER sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ username="" \ password="" \ metadataServerUrls="http(s)://:"; #. Add the following parameters to establish **worker-wide default properties** for each type of |ak| client used by connectors in the cluster. :: producer.security.protocol=SASL_PLAINTEXT producer.sasl.mechanism=OAUTHBEARER producer.sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler .. note:: Any principal used by Idempotent producers must be granted IdempotentWrite on the cluster or Write permission on any topic to initialize the producer client. Binding either the DeveloperWrite or ResourceOwner RBAC roles on the |ak| cluster grants Write permission. Note that DeveloperWrite is the less permissive of the two roles, and is the first recommendation. Consume does not require additional |ak| permissions to be Idempotent consumers. The following role binding ensures that Write has access to the cluster: :: confluent iam rbac role-binding create \ --principal $PRINCIPAL \ --role DeveloperWrite \ --resource Cluster:kafka-cluster \ --kafka-cluster-id $KAFKA_CLUSTER_ID :: consumer.security.protocol=SASL_PLAINTEXT consumer.sasl.mechanism=OAUTHBEARER consumer.sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler :: admin.security.protocol=SASL_PLAINTEXT admin.sasl.mechanism=OAUTHBEARER admin.sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler #. Add the following Metadata Service (MDS) parameters to require user |rbac| authentication for |kconnect|. |rbac| authentication is required to allow users to create connectors, read connector configurations, and delete connectors. :: # Adds the RBAC REST extension to the Connect worker rest.extension.classes=io.confluent.connect.security.ConnectSecurityExtension # The location of a running metadata service confluent.metadata.bootstrap.server.urls= # Credentials to use when communicating with the MDS confluent.metadata.basic.auth.user.info=: confluent.metadata.http.auth.credentials.provider=BASIC .. note:: For additional configurations available to any client communicating with MDS, see :ref:`rest-client-mds-config` in the |cp| Security documentation. #. Add the following parameter to have |kconnect| use basic authentication for user requests and token authentication for impersonated requests (for example, from REST proxy). :: rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler # The path to a directory containing public keys that should be used to verify json web tokens # during authentication public.key.path= See :ref:`Secret Registry ` if you are using a Secret Registry for connector credentials.