Important

You are viewing documentation for an older version of Confluent Platform. For the latest, click here.

Configure Kerberos Authentication for Brokers Running MDS

This configuration describes how to combine LDAP authentication for MDS with Kerberos broker authentication, essentially combining the two authentication methods.

Prerequisites

• The prerequisites for configuring Kerberos authentication for MDS are the same as the prerequisites for configuring MDS. See Configure Metadata Service (MDS).
• Create a user for the Kafka broker.
• Generate the keytab. See Configuring GSSAPI.
• Create a PEM key pair.

Tip

You can store passwords and other configuration data securely by using the confluent secret commands. For more information see Secrets.

1. Add the following required configuration options to the etc.kafka.server.properties file. Any content in brackets (<>) must be customized for your environment.

   Note

   The LDAP configuration attributes in this example reflect a system using Active Directory (AD). If you use a different directory system, contact your LDAP administrator for details.

    ############################# Confluent Authorizer Settings #############################
    authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT
    confluent.metadata.server.listeners=http://0.0.0.0:8090
    confluent.metadata.server.advertised.listeners=http://localhost:8090
    #### Semi-colon separated list of super users in the format <principalType>:<principalName> ####
    #### For example: super.users=User:admin;User:mds ####
    super.users=User:<org-super-user>;User:<org-kerberos-principal>
   
    ############################# Identity Provider Settings (LDAP) #############################
    #### JNDI Connection Settings ####
    ldap.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
    ldap.java.naming.provider.url=ldap://<hostname>:389
    ####  MDS Authentication Settings ####
    ldap.java.naming.security.principal=<mds-user-DN>
    ldap.java.naming.security.credentials=<password>
    ldap.java.naming.security.authentication=simple
    #### Client Authentication Settings ####
    ldap.user.search.base=<user-search-base-DN>
    ldap.user.name.attribute=sAMAccountName
    ldap.group.search.base=CN=Users,DC=rbac,DC=confluent,DC=io
    ldap.group.object.class=group
    ldap.group.member.attribute.pattern=UID=(.*),OU=Users,DC=EXAMPLE,DC=COM
    ldap.user.object.class=account
   
    ############################# MDS Server Settings #############################
    confluent.metadata.server.authentication.method=BEARER
   
    ############################# MDS Token Service Settings #############################
    confluent.metadata.server.token.key.path=<path-to-token-key-pair.pem>
   
    ############################# Listener Settings #############################
    listeners=INTERNAL_SASL_PLAINTEXT://:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://:9092
    advertised.listeners=INTERNAL_SASL_PLAINTEXT://localhost:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://localhost:9092
    inter.broker.listener.name=INTERNAL_SASL_PLAINTEXT
   
    ############################# Listener SASL Configuration Settings #############################
    listener.security.protocol.map=INTERNAL_SASL_PLAINTEXT:SASL_PLAINTEXT,EXTERNAL_RBAC_SASL_PLAINTEXT:SASL_PLAINTEXT
   
    ############################# Broker Internal Listener SASL Configuration Settings #############################
    sasl.mechanism.inter.broker.protocol=GSSAPI
    listener.name.internal_sasl_plaintext.sasl.enabled.mechanisms=GSSAPI
    listener.name.internal_sasl_plaintext.sasl.kerberos.service.name=kafka
    listener.name.internal_sasl_plaintext.gssapi.sasl.jaas.config = \
      com.sun.security.auth.module.Krb5LoginModule required \
      debug=true \
      useKeyTab=true \
      storeKey=true \
      keyTab="<path-to-your-keytab>" \
      principal="<org-kerberos-principal>"; (for example: kafka/kafka1.hostname.com@EXAMPLE.COM)
   
   ############################# Broker External (Client) Listener SASL Configuration Settings #############################
   listener.name.external_rbac_sasl_plaintext.sasl.enabled.mechanisms=OAUTHBEARER
   listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.jaas.config= \
     org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
     publicKeyPath="<path-to-your-public-key";
   listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler
   listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler
   

   For a description of the parameters, see:

   • Lines 2-8: Enables RBAC. For more information, see Configuring the Confluent Server Authorizer.
   • Lines 11-24: Configures LDAP so that RBAC can use it. For more information, see Configure LDAP Group-Based Authorization for MDS and Configure LDAP Authentication.
   • Line 27: Defines listeners and configures HTTPs for brokers. For more information, see Metadata Service Configuration Options.
   • Line 30: Defines private key configuration properties. For more information, see Metadata Service Configuration Options.
   • Lines 33-58: Enables SASL authentication and Kerberos authentication. For more information, see Authentication with SASL and Configuring GSSAPI.

2. Start Confluent Platform.