.. _security_prefixes: Prefixes for Configuring Security --------------------------------- Configuration Parameters ~~~~~~~~~~~~~~~~~~~~~~~~ Each component and many areas of functionality (for example, audit logging) in |cp| can be configured for security. This table shows what prefixes are used for security configuration properties and where to configure them. .. important:: Secrets ``config.providers`` do not propagate to prefixes such as ``client.*``. Thus, when using prefixes with secrets you must specify ``config.providers`` and ``config.providers.securepass.class``. Refer to :ref:`secrets-prefixes` for details. ===================================================== ============================================================================================= ========================================================== Security Configuration Prefix Where to Configure ===================================================== ============================================================================================= ========================================================== Audit logging ``confluent.security.event.`` ``etc/kafka/server.properties`` Broker none ``etc/kafka/server.properties`` Broker LDAP configurations ``ldap.`` ``etc/kafka/server.properties`` Broker Metadata Service (MDS) back-end configurations ``confluent.metadata.`` ``etc/kafka/server.properties`` Metadata Service (MDS) configurations ``confluent.metadata.server.`` ``etc/kafka/server.properties`` Console Clients none ``client properties`` (for example, ``producer.config`` or ``consumer.config``) Connect workers none, ``producer.``, ``consumer.``, or ``admin.`` ``etc/kafka/connect-distributed.properties`` |c3-short| ``confluent.controlcenter.streams.`` ``etc/confluent-control-center/control-center.properties`` ``confluent.controlcenter.connect.`` ``confluent.controlcenter.ksql.`` Java Clients Java clients use static parameters defined in the SslConfigs or SaslConfigs in Properties class Javadoc: - :platform:`SSL|clients/javadocs/javadoc/org/apache/kafka/common/config/SslConfigs.html` - :platform:`SASL|clients/javadocs/javadoc/org/apache/kafka/common/config/SaslConfigs.html` Metrics Reporter ``confluent.metrics.reporter.`` ``etc/kafka/server.properties`` Monitoring Interceptors in clients ``confluent.monitoring.interceptor.`` client properties, e.g. producer.config or consumer.config Monitoring Interceptors in Connect ``producer.confluent.monitoring.interceptor.`` ``etc/kafka/connect-distributed.properties`` ``consumer.confluent.monitoring.interceptor.`` Monitoring Interceptors in Replicator ``src.consumer.confluent.monitoring.interceptor.`` connector JSON file (not the worker properties file) Rebalancer ``confluent.rebalancer.metrics.`` Pass configuration (e.g. ``rebalance-metrics-client.properties``) using ``--config-file`` Replicator - ``dest.kafka.`` connector JSON file (not the worker properties file) - ``src.kafka.`` |crest| ``client.`` ``etc/kafka/kafka-rest.properties`` |sr| ``kafkastore.`` ``etc/schema-registry/schema-registry.properties`` |zk| none ``etc/kafka/zookeeper.properties`` ===================================================== ============================================================================================= ========================================================== Environment Variables for Configuring HTTPS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If a component in |cp| needs to connect to a service using HTTPS, for example to an HTTPS-enabled |sr-long|, you may need to configure the :ref:`TLS/SSL credentials for that HTTPS connection `. This table shows for each component, the name of the environment variable to configure with TLS/SSL credentials for those HTTPS connections. +------------------------------------+----------------------------------------------------+ | Component | Environment Variable | +====================================+====================================================+ | Broker | ``KAFKA_OPTS`` | +------------------------------------+----------------------------------------------------+ | Console Clients | ``KAFKA_OPTS`` | +------------------------------------+----------------------------------------------------+ | |ksqldb| | ``KSQL_OPTS`` | +------------------------------------+----------------------------------------------------+ | Connect workers | ``KAFKA_OPTS`` | +------------------------------------+----------------------------------------------------+ | Confluent Rebalancer | ``REBALANCER_OPTS`` | +------------------------------------+----------------------------------------------------+ | |c3-short| | ``CONTROL_CENTER_OPTS`` | +------------------------------------+----------------------------------------------------+ | |sr| | ``SCHEMA_REGISTRY_OPTS`` | +------------------------------------+----------------------------------------------------+ | |crest| | ``KAFKAREST_OPTS`` | +------------------------------------+----------------------------------------------------+ Additional Environment Variables ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you are using the |sr| :ref:`ACL Authorizer with SASL `, pass in the JAAS configuration file using the ``SECURITY_PLUGINS_OPTS`` environment variable before calling ``sr-acl-cli``. .. include:: ../includes/sracl-env.rst