Metadata Service Configuration Options¶
The broker configuration in the server.properties
file must set
authorizer.class.name
to io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
to enable the Metadata Service (also known as the
Confluent Server Authorizer).
To retain ACLs (that have already been enabled) and enable RBAC, set
confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT
.
For more details about how to configure RBAC, refer to Enable RBAC in a Running Cluster.
RBAC supports the following Kafka configurations of the Metadata Service (MDS) back end, which you can override by using the prefixes specified below:
- Topic configurations used for creating the security metadata topics (
confluent.metadata.topic.
) - Administration Client configurations used for creating administration clients (
confluent.metadata.admin.
) - Consumer Coordinator configurations used for creating consumers (
confluent.metadata.coordinator.
) - Producer configurations used for creating producers (
confluent.metadata.producer.
) - HTTP configurations used for connecting to MDS over HTTPS (
confluent.metadata.server.ssl.
) - Centralized Audit Log configurations used to provide API endpoints to register
a list of the Kafka clusters in an organization and to centrally manage the audit log configurations of those clusters
(
confluent.security.event.logger.destination.admin.
).
Configuration¶
confluent.metadata.server.listeners
Binds Metadata Service HTTP or HTTPS service to port.
- Type: int
- Default: 8090
confluent.metadata.server.advertised.listeners
Configures HTTP or HTTPS service advertised hostname.
- Type: string
- Default: null
confluent.metadata.server.token.max.lifetime.ms
Specifies a token’s maximum configured lifetime in milliseconds.
- Type: int
- Default: 3600000
confluent.metadata.server.token.key.path
Location of the PEM encoded public/private key pair to be used for signing and verifying tokens. Because the token service only supports RS256 signatures, key pairs must be generated using the RSA algorithm.
- Type: string
- Default: null
confluent.metadata.server.token.signature.algorithm
Signature scheme to be used when signing/verifying tokens as defined in (Algorithm) Header Parameter Values for JWS. Only RS256 is currently supported.
- Type: string
- Default: RS256
HTTPS configurations¶
Use the following attributes to configure MDS to allow connections over HTTPS.
confluent.metadata.server.ssl.keystore.location
The key store file location. This is optional for client and can be used for two-way authentication for client.
- Type: string
- Default: null
- Importance: high
confluent.metadata.server.ssl.keystore.password
The key store file password. Optional for client, and only required if
confluent.metadata.server.ssl.keystore.location
is configured.- Type: password
- Default: null
- Importance: high
confluent.metadata.server.ssl.key.password
The private key password in the key store file. Optional for client.
- Type: password
- Default: null
- Importance: high
confluent.metadata.server.ssl.truststore.location
The trust store file location.
- Type: string
- Default: null
- Importance: high
confluent.metadata.server.ssl.truststore.password
The trust store file password. If a password is not set, access to the truststore is still available, but integrity checking is disabled.
- Type: password
- Default: null
- Importance: high
The following is an example configuration for setting up HTTPS for MDS.
Any content in brackets (<>
) must be customized for your environment.
authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT
confluent.metadata.server.listeners=https://localhost:8090
confluent.metadata.server.advertised.listeners=https://localhost:8090
confluent.metadata.server.ssl.keystore.location=<path-to-keystore>
confluent.metadata.server.ssl.keystore.password=<host-keystore-password>
confluent.metadata.server.ssl.key.password=<host-cert-password>
confluent.metadata.server.ssl.truststore.location=<path-to-truststore>
confluent.metadata.server.ssl.truststore.password=<host-truststore-password>
When logging in to an MDS that is configured for HTTPS, most clients, including
the Confluent CLI, automatically pick up trusted certificates from the
system truststore. To use self-signed or custom certificates that are not part
of the system truststore when using the Confluent CLI, see the --ca-cert-path
option in
Confluent CLI confluent login.
REST client configurations¶
Components such as Schema Registry, Connect, and ksqlDB can interact as clients of MDS
by means of REST Proxy. Configurations for these clients are defined in
component-specific properties files; for example,
${CONFLUENT_HOME}/etc/ksqldb/ksql-server.properties
or
${CONFLUENT_HOME}/etc/schema-registry/schema-registry.properties
. The
following properties can be configured in the component properties files to
specify details related to MDS.
confluent.metadata.bootstrap.server.urls
A comma-separated list of valid URLs that specify where the metadata server or servers can be reached. For example: http://localhost:8080,http://localhost:8081. This configuration is required to run REST clients in an MDS environment.
- Type: List
- Default: “”
- Importance: high
confluent.metadata.enable.server.urls.refresh
This option enables metadata server URLs to be refreshed when REST Clients (for example, Schema Registry, Connect, and ksqlDB) are communicating with MDS. Set to
false
when using a DNS and load balancer with MDS; in such cases clients do not need to look up the IPs of the MDS nodes.- Type: Boolean
- Default: true
- Importance: low
confluent.metadata.server.urls.fail.on.401
When set to true, the client will fail immediately upon receipt of a 401 status while trying to refresh metadata server URLs. This option is useful if repeated 401 responses cause issues in the backing LDAP server.
- Type: string
- Default: false
confluent.metadata.server.urls.max.retries
The number of retries to force a refresh of metadata server URLs.
- Type: int
- Default: 5