REST Proxy Security Plugins¶
Confluent REST Proxy allows producing and consuming messages of different formats through a REST interface. The security plugin provides the capability to authenticate an incoming request, build the principal, and then propagate the same requests to Apache Kafka® using the configured security mechanism. The authorization is enforced through Kafka ACLs, which provide granular access controls based on Kafka’s ACL implementation (such as limiting access to topics, in which case the client principal is propagated to Kafka and has the same access as if connected with that principal in any other client).
When enabled with role-based access control (RBAC) or Kafka REST Security plugins, license clients must be explicitly configured to authenticate to Kafka. To learn more, see Configure license clients to authenticate to Kafka in the Confluent Platform license documentation.
Install¶
Important
This software is available under a Confluent enterprise license. You can use this software for a 30-day trial period without a license key. If you are a subscriber, please contact Confluent Support at support@confluent.io for more information.
The Confluent security plugins are an extension to Confluent Platform components. The security plugins are installed by default if you are using ZIP and TAR archives, but must be installed manually if you are using DEB or RPM packages.
The default location for the Confluent REST Proxy Security Plugins is:
<path-to-confluent>/share/java/kafka-rest/confluent-security-plugins-common-<version>.jar
<path-to-confluent>/share/java/kafka-rest/confluent-kafka-rest-security-plugin-<version>.jar
ZIP and TAR Archives¶
If you installed Confluent Platform by using ZIP or TAR archives, the security plugins are installed by
default and are located in <path-to-confluent>/share/java/
in the individual component directories.
Ubuntu and Debian¶
If you installed Confluent Platform in a Ubuntu or Debian environment, you must install the plugins separately with this command:
sudo apt-get update && sudo apt-get install confluent-security
RHEL and CentOS¶
If you installed Confluent Platform in a RHEL, CentOS, or Fedora-based environment, you must install the plugins separately with this command:
sudo yum install confluent-security
Activate¶
After the installation is complete, you must add the following configuration in
the Confluent REST Proxy configuration file (/etc/kafka-rest/kafka-rest.properties
)
to activate the plugins.
kafka.rest.resource.extension.class=io.confluent.kafkarest.security.KafkaRestSecurityResourceExtension
kafka.rest.resource.extension.class
Fully qualified class name of a valid implementation of the interface RestResourceExtension. This can be used to inject user defined resources like filters. Typically used to add custom capability like logging, security, etc
- Type: string
- Default: “”
- Importance: low
Usage¶
For information on how to leverage the REST Proxy Security Plugins to propagate credentials from REST Proxy to Kafka brokers, see REST Proxy Credentials Propagation.