Important
You are viewing documentation for an older version of Confluent Platform. For the latest, click here.
Using the Confluent REST Proxy Security Plugin¶
Install¶
Important
This software is available under a Confluent enterprise license. You can use this software for a 30-day trial period without a license key. If you are a subscriber, please contact Confluent Support at support@confluent.io for more information.
The Confluent security plugins are an extension to Confluent Platform components. The security plugins are installed by default if you are using ZIP and TAR archives, but must be installed manually if you are using DEB or RPM packages.
The default location for the Confluent REST Proxy Security Plugins is:
<path-to-confluent>/share/java/kafka-rest/confluent-security-plugins-common-<version>.jar
<path-to-confluent>/share/java/kafka-rest/confluent-kafka-rest-security-plugin-<version>.jar
ZIP and TAR Archives¶
If you installed Confluent Platform by using ZIP or TAR archives, the security plugins are installed by
default and are located in <path-to-confluent>/share/java/
in the individual component directories.
Ubuntu and Debian¶
If you installed Confluent Platform in a Ubuntu or Debian environment, you must install the plugins separately with this command:
sudo apt-get update && sudo apt-get install confluent-security
RHEL and CentOS¶
If you installed Confluent Platform in a RHEL, CentOS, or Fedora-based environment, you must install the plugins separately with this command:
sudo yum install confluent-security
Activate the Plugins¶
After the installation is complete, you must add the following configuration in
the Confluent REST Proxy configuration file (/etc/kafka-rest/kafka-rest.properties
)
to activate the plugins.
kafka.rest.resource.extension.class=io.confluent.kafkarest.security.KafkaRestSecurityResourceExtension
kafka.rest.resource.extension.class
Fully qualified class name of a valid implementation of the interface RestResourceExtension. This can be used to inject user defined resources like filters. Typically used to add custom capability like logging, security, etc
- Type: string
- Default: “”
- Importance: low
Authentication Mechanisms¶
The authentication mechanism for the incoming requests is determined by the confluent.rest.auth.propagate.method
config. The only supported mechanism at present is SSL. It is required
to set the ssl.client.auth
to true in the Confluent REST Proxy config to use the SSL mechanism. Failing
which, all requests
would be rejected with a HTTP error code of 403.
The incoming X500 principal from the client is used as the principal while interacting
with all requests to the Apache Kafka® broker. While connecting to the broker, the authentication happens via
SSL/SASL depending on the value of client.security.protocol
in the Confluent REST Proxy config. The
details of how the propagation happens and how the security needs to be configured can be found at
Principal Propagation
On a high level, the following are required for each of the security protocols:
- SSL - keystore loaded with all certificates corresponding to all required principal; configured via
client.ssl.keystore.type
- SASL - JAAS config file with
KafkaClient
section containing all principals along with its login module and options; configured via-Djava.security.auth.login.config
.
Refer to Kafka Security for more details.
Configuration¶
confluent.rest.auth.propagate.method
The mechanism used to authenticate REST Proxy requests. When broker security is enabled, the principal from this authentication mechanism is propagated to Kafka broker requests.
- Type: string
- Default: “SSL”
- Importance: low
confluent.license
Confluent will issue a license key to each subscriber. The license key will be a short snippet of text that you can copy and paste. Without the license key, you can use Confluent security plugins for a 30-day trial period. If you are a subscriber and don’t have a license key, please contact Confluent Support at support@confluent.io.
- Type: string
- Default: “”
- Importance: high