Important

You are viewing documentation for an older version of Confluent Platform. For the latest, click here.

ZooKeeper Security

You can enable security in ZooKeeper by using these examples below. For a complete Confluent Platform security example, see the Security Tutorial.

Enable ZooKeeper Authentication with SASL

Enable ZooKeeper authentication with SASL by using one of these methods.

  • Add the following to zookeeper.properties to enable SASL while still allowing connection without authentication:

    authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

  • Add the following to ZooKeeper JVM command line:

    -Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

Require All Connections to use SASL Authentication

Add the requirement that all connections must use SASL authentication by using one of these methods.

  • Add the following to zookeeper.properties :

    requireClientAuthScheme=sasl

  • Add this to ZooKeeper JVM command line:

    -Dzookeeper.requireClientAuthScheme=sasl

SASL with Digest-MD5

Here is an example of a ZooKeeper node JAAS file:

Server {
       org.apache.zookeeper.server.auth.DigestLoginModule required
       user_super="adminsecret"
       user_bob="bobsecret";
};

Here is an example of a ZooKeeper client JAAS file, including brokers and admin scripts like kafka-topics:

Client {
       org.apache.zookeeper.server.auth.DigestLoginModule required
       username="bob"
       password="bobsecret";
};

If your Kafka broker already has a JAAS file, this section must be added to it.

SASL with Kerberos

Here is an example of ZooKeeper node JAAS file:

Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/path/to/server/keytab"
    storeKey=true
    useTicketCache=false
    principal="zookeeper/yourzkhostname@EXAMPLE.COM";
};

Here example of a ZooKeeper client JAAS file, including brokers and admin scripts like kafka-topics:

Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    keyTab="/etc/security/keytabs/kafka_server.keytab"
    principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
};