Configuring Confluent Server Authorizer¶
The Confluent Server Authorizer supports proprietary LDAP group-based and role-based access control (RBAC) authorization as well as the setting of ACLs. Confluent Server Authorizer supports pluggable authorization and group providers, enabling ACLs, LDAP, and RBAC providers to be loaded at runtime.
Note
You can use the Confluent Server Authorizer to configure any of the attributes
that you configured previously using the deprecated LDAP Authorizer.
If you do so, use the ldap.
prefix for each attribute. Do not use the
ldap.authorizer.
prefix for LDAP attributes when using the Confluent Server Authorizer to
configure.
Configuring the Confluent Server Authorizer¶
To enable authorization using the Confluent Server Authorizer, set the property authorizer.class.name
to io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
in the
broker configuration (which is in the server.properties
file).
authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
Confluent Server Authorizer Configuration Reference¶
The following configuration options are also processed by the Confluent Server Authorizer.
super.users
Semicolon-separated list of principals of super users or super groups who are allowed access to all of the resources for all actions on all hosts. If a resource has no ACLs associated with it, then only super users can access the resource. For an example of how to set this, see Configure Brokers.
- Type: string
- Default: “”
- Importance: medium
allow.everyone.if.no.acl.found
Boolean flag that indicates whether or not everyone is allowed access to a resource if no ACL is found for the user principal or any of the groups to which the user belongs.
Note
Use of the
allow.everyone.if.no.acl.found
configuration option in production environments is strongly discouraged.- If you specify this option based on the assumption that you have ACLs, but then your last ACL is deleted, you essentially open up your Kafka clusters to all users.
- If you’re using this option to disable ACLs, exercise caution: if someone adds an ACL, all the users who previously had access will lose that access.
- Type: boolean
- Default: false
- Importance: medium
broker.users
Semicolon-separated list of principals of users who are allowed access to all resources on interbroker listeners. Unlike
super.users
,broker.users
only allows requests originating from interbroker listeners. The primary purpose of this option is to bootstrap MDS clusters when using the centralized ACL feature.- Type: string
- Default: “”
- Importance: medium
confluent.license
Confluent issues a license key to each subscriber. The license key is a short snippet of text that you can copy and paste. Without the license key, you can use Confluent security plugins for a 30-day trial period. If you are a subscriber and don’t have a license key, please contact Confluent Support at support@confluent.io.
- Type: string
- Default: “”
- Importance: high
confluent.authorizer.access.rule.providers
List of access rule providers that are enabled. Supported access rule providers are CONFLUENT and ZK_ACL. The ACL-based provider is enabled by default.
- Type: list
- Default: ZK_ACL
- Importance: medium
confluent.authorizer.init.timeout.ms
The number of milliseconds to wait for the Authorizer to start up and initialize any metadata from Kafka topics. On brokers of the cluster hosting metadata topics, interbroker listeners will be started prior to initialization of Authorizer metadata from Kafka topics.
- Type: int
- Default: 600000 [0,…]
- Importance: low
confluent.http.server.listeners
Use to specify, disable, or change the HTTP listener in the broker for local metadata service and local clusters. This option only applies when MDS is not hosted on this broker. If this broker hosts an embedded HTTP server plugin for metadata that is related to the local cluster, specify a comma-separated list of listener URLs for HTTP server. To bind to all interfaces, specify hostname as
0.0.0.0
. Examples of valid listeners arehttps://0.0.0.0:8090
andhttp://127.0.0.1:8091
. To disable the broker’s HTTP listener, set to a blank value. By default Confluent Server always enables an HTTP metadata listener on port 8090.- Type: int
- Default:
https://0.0.0.0:8090
- Importance: medium
See also:
To view configuration options for group-based authorization using LDAP:
To view configuration details about Confluent Server Authorizer for role-based access control (RBAC):