Configure Kerberos Authentication for Brokers Running MDS

This configuration describes how to combine LDAP authentication for MDS with Kerberos broker authentication, essentially combining the two authentication methods.

Prerequisites

Tip

You can store passwords and other configuration data securely using the Confluent CLI confluent secret commands. For more information refer to Secrets Management.

  1. Add the following required configuration options to the etc.kafka.server.properties file. Any content in brackets (<>) must be customized for your environment.

    Note

    The LDAP configuration attributes in this example reflect a system using Active Directory (AD). If you use a different directory system, contact your LDAP administrator for details.

     1 ############################# Confluent Authorizer Settings #############################
     2 authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
     3 confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT
     4 confluent.metadata.server.listeners=http://0.0.0.0:8090
     5 confluent.metadata.server.advertised.listeners=http://localhost:8090
     6 #### Semi-colon separated list of super users in the format <principalType>:<principalName> ####
     7 #### For example: super.users=User:admin;User:mds ####
     8 super.users=User:<org-super-user>;User:<org-kerberos-principal>
     9
    10 ############################# Identity Provider Settings (LDAP) #############################
    11 #### JNDI Connection Settings ####
    12 ldap.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
    13 ldap.java.naming.provider.url=ldap://<hostname>:389
    14 ####  MDS Authentication Settings ####
    15 ldap.java.naming.security.principal=<mds-user-DN>
    16 ldap.java.naming.security.credentials=<password>
    17 ldap.java.naming.security.authentication=simple
    18 #### Client Authentication Settings ####
    19 ldap.user.search.base=<user-search-base-DN>
    20 ldap.user.name.attribute=sAMAccountName
    21 ldap.group.search.base=CN=Users,DC=rbac,DC=confluent,DC=io
    22 ldap.group.object.class=group
    23 ldap.group.member.attribute.pattern=UID=(.*),OU=Users,DC=EXAMPLE,DC=COM
    24 ldap.user.object.class=account
    25
    26 ############################# MDS Server Settings #############################
    27 confluent.metadata.server.authentication.method=BEARER
    28
    29 ############################# MDS Token Service Settings #############################
    30 confluent.metadata.server.token.key.path=<path-to-mds-token-key.pem>
    31
    32 ############################# Listener Settings #############################
    33 listeners=INTERNAL_SASL_PLAINTEXT://:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://:9092
    34 advertised.listeners=INTERNAL_SASL_PLAINTEXT://localhost:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://localhost:9092
    35 inter.broker.listener.name=INTERNAL_SASL_PLAINTEXT
    36
    37 ############################# Listener SASL Configuration Settings #############################
    38 listener.security.protocol.map=INTERNAL_SASL_PLAINTEXT:SASL_PLAINTEXT,EXTERNAL_RBAC_SASL_PLAINTEXT:SASL_PLAINTEXT
    39
    40 ############################# Broker Internal Listener SASL Configuration Settings #############################
    41 sasl.mechanism.inter.broker.protocol=GSSAPI
    42 listener.name.internal_sasl_plaintext.sasl.enabled.mechanisms=GSSAPI
    43 listener.name.internal_sasl_plaintext.sasl.kerberos.service.name=kafka
    44 listener.name.internal_sasl_plaintext.gssapi.sasl.jaas.config = \
    45   com.sun.security.auth.module.Krb5LoginModule required \
    46   debug=true \
    47   useKeyTab=true \
    48   storeKey=true \
    49   keyTab="<path-to-your-keytab>" \
    50   principal="<org-kerberos-principal>"; (for example: kafka/kafka1.hostname.com@EXAMPLE.COM)
    51
    52############################# Broker External (Client) Listener SASL Configuration Settings #############################
    53listener.name.external_rbac_sasl_plaintext.sasl.enabled.mechanisms=OAUTHBEARER
    54listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.jaas.config= \
    55  org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
    56  publicKeyPath="<path-to-your-public-key";
    57listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler
    58listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler
    

    For a description of the parameters, see:

  2. Start Confluent Platform.