Important

You are viewing documentation for an older version of Confluent Platform. For the latest, click here.

Confluent LDAP Authorizer

This is a commercial component of Confluent Platform.

Confluent LDAP Authorizer enables group-based authorization using the principal type Group as well as user-principal-based authorization using the principal type User. If a Deny rule matches the user principal or any of the groups that the user belongs to, access will be denied. Otherwise access is allowed if an Allow rule matches the user principal or any of the groups that the user belongs to. The configuration option allow.everyone.if.no.acl.found can be set to true to allow access if no ACLs match the user or groups. Super users or super groups with access to all resources can be configured using the configuration option super.users. This may contain user principals as well as group principals. For example:

super.users=User:kafkaBroker;Group:admin

Kerberos users with LDAP servers that provide Kerberos authentication as well group management can use the same LDAP server (e.g. Active Directory or Apache Directory Server) for both authentication and group-based authorization. Brokers using other security protocols or SASL mechanisms may also use group-based authorization using LDAP without using the LDAP server for authentication.

• Using the Confluent LDAP Authorizer
  • Install
  • Activate the Plugin
  • Tutorial: Starting a Kafka cluster with group-based authorization
    • Prerequisites
    • Start Kafka Cluster with LDAP Authorizer
      • Start ZooKeeper
      • Create users
      • Configure listeners for broker
      • Configure LDAP Authorizer
      • Start Kafka broker
    • Test LDAP group-based authorization
      • Create a topic
      • Configure producer and consumer
      • Run console producer without authorizing user
      • Authorize group and rerun producer
      • Run console consumer without access to consumer group
      • Authorize group and rerun consumer
    • Authentication and group-based authorization using an LDAP server
• Configuring the LDAP Authorizer
  • Configuration Overview
    • Configuring LDAP Context
    • Configuring SSL for LDAP
    • Configuring GSSAPI for LDAP
    • Configuring Password Credentials for LDAP
    • Configuring LDAP Search
      • Sample Configuration for Group-Based Search
      • Sample Configuration for User-Based Search
    • Configuring LDAP Filters to Limit Search Results
    • Using Persistent LDAP Search
  • LDAP Authorizer Configuration Options
    • Confluent License
    • LDAP Search Configuration
    • LDAP search by groups
    • LDAP search by users
    • Error Handling Configuration
    • SSL Configuration for LDAP connection
    • SASL Configuration for LDAP connection
• Configure LDAP Authentication
  • LDAP Authentication Using Simple Bind
  • LDAP Authentication Using Password Search