Configure RBAC for a Connect Worker


Before configuring RBAC for Kafka Connect, read the white paper Role-Based Access Control (RBAC) for Kafka Connect. This white paper covers basic RBAC concepts and provides a deep dive into using RBAC with Kafka Connect and connectors. It also contains a link to a GitHub demo so you can see how it all works on a local Confluent Platform installation.

In an RBAC-enabled environment, several RBAC configuration lines need to be added to each Connect worker file. Refer to the following for information about what needs to be added to each Connect worker file.

  1. Add the following parameter to enable per-connector principals.

  2. Add the following parameters to enable the Connect framework to authenticate with Kafka using a service principal. The service principal is used by Connect to read from and write to internal configuration topics. Note that the <username> and <passsword> are the service principal username and password granted permissions when setting up the service principal.

    # Or SASL_SSL if using SSL
    sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler required \
      username="<username>" \
      password="<password>" \
  3. Add the following parameters to establish worker-wide default properties for each type of Kafka client used by connectors in the cluster.


    Any principal used by Idempotent producers must be authorized as Write on the cluster. Binding either the DeveloperWrite or ResourceOwner RBAC roles on the Kafka cluster grants Write permission. Note that DeveloperWrite is the less permissive of the two roles, and is the first recommendation. Consume does not require additional Kafka permissions to be Idempotent consumers. The following role binding ensures that Write has access to the cluster:

    confluent iam rbac role-binding create \
      --principal $PRINCIPAL \
      --role DeveloperWrite \
      --resource Cluster:kafka-cluster \
      --kafka-cluster-id $KAFKA_CLUSTER_ID
  4. Add the following Metadata Service (MDS) parameters to require user RBAC authentication for Connect. RBAC authentication is required to allow users to create connectors, read connector configurations, and delete connectors.

    # Adds the RBAC REST extension to the Connect worker
    # The location of a running metadata service
    # Credentials to use when communicating with the MDS<username>:<password>


    For additional configurations available to any client communicating with MDS, see REST client configurations in the Confluent Platform Security documentation.

  5. Add the following parameter to have Connect use basic authentication for user requests and token authentication for impersonated requests (for example, from REST proxy).
    # The path to a directory containing public keys that should be used to verify json web tokens
    # during authentication
    public.key.path=<public key path>

See Secret Registry if you are using a Secret Registry for connector credentials.