Configure Kerberos Authentication for Brokers Running MDS¶
This configuration describes how to combine LDAP authentication for MDS with Kerberos broker authentication, essentially combining the two authentication methods.
- Prerequisites
- The prerequisites for configuring Kerberos authentication for MDS are the same as the prerequisites for configuring MDS. See Configure the Confluent Platform Metadata Service (MDS).
- Create a user for the Kafka broker.
- Generate the keytab. See Configuring GSSAPI.
- Create a PEM key pair.
Tip
You can store passwords and other configuration data securely using the Confluent CLI confluent secret commands. For more information refer to Secrets Management.
Add the following required configuration options to the
etc.kafka.server.properties
file. Any content in brackets (<>
) must be customized for your environment.Note
The LDAP configuration attributes in this example reflect a system using Active Directory (AD). If you use a different directory system, contact your LDAP administrator for details.
1 ############################# Confluent Authorizer Settings ############################# 2 authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer 3 confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT 4 confluent.metadata.server.listeners=http://0.0.0.0:8090 5 confluent.metadata.server.advertised.listeners=http://localhost:8090 6 #### Semi-colon separated list of super users in the format <principalType>:<principalName> #### 7 #### For example: super.users=User:admin;User:mds #### 8 super.users=User:<org-super-user>;User:<org-kerberos-principal> 9 10 ############################# Identity Provider Settings (LDAP) ############################# 11 #### JNDI Connection Settings #### 12 ldap.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory 13 ldap.java.naming.provider.url=ldap://<hostname>:389 14 #### MDS Authentication Settings #### 15 ldap.java.naming.security.principal=<mds-user-DN> 16 ldap.java.naming.security.credentials=<password> 17 ldap.java.naming.security.authentication=simple 18 #### Client Authentication Settings #### 19 ldap.user.search.base=<user-search-base-DN> 20 ldap.user.name.attribute=sAMAccountName 21 ldap.group.search.base=CN=Users,DC=rbac,DC=confluent,DC=io 22 ldap.group.object.class=group 23 ldap.group.member.attribute.pattern=UID=(.*),OU=Users,DC=EXAMPLE,DC=COM 24 ldap.user.object.class=account 25 26 ############################# MDS Server Settings ############################# 27 confluent.metadata.server.authentication.method=BEARER 28 29 ############################# MDS Token Service Settings ############################# 30 confluent.metadata.server.token.key.path=<path-to-token-key-pair.pem> 31 32 ############################# Listener Settings ############################# 33 listeners=INTERNAL_SASL_PLAINTEXT://:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://:9092 34 advertised.listeners=INTERNAL_SASL_PLAINTEXT://localhost:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://localhost:9092 35 inter.broker.listener.name=INTERNAL_SASL_PLAINTEXT 36 37 ############################# Listener SASL Configuration Settings ############################# 38 listener.security.protocol.map=INTERNAL_SASL_PLAINTEXT:SASL_PLAINTEXT,EXTERNAL_RBAC_SASL_PLAINTEXT:SASL_PLAINTEXT 39 40 ############################# Broker Internal Listener SASL Configuration Settings ############################# 41 sasl.mechanism.inter.broker.protocol=GSSAPI 42 listener.name.internal_sasl_plaintext.sasl.enabled.mechanisms=GSSAPI 43 listener.name.internal_sasl_plaintext.sasl.kerberos.service.name=kafka 44 listener.name.internal_sasl_plaintext.gssapi.sasl.jaas.config = \ 45 com.sun.security.auth.module.Krb5LoginModule required \ 46 debug=true \ 47 useKeyTab=true \ 48 storeKey=true \ 49 keyTab="<path-to-your-keytab>" \ 50 principal="<org-kerberos-principal>"; (for example: kafka/kafka1.hostname.com@EXAMPLE.COM) 51 52############################# Broker External (Client) Listener SASL Configuration Settings ############################# 53listener.name.external_rbac_sasl_plaintext.sasl.enabled.mechanisms=OAUTHBEARER 54listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.jaas.config= \ 55 org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ 56 publicKeyPath="<path-to-your-public-key"; 57listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler 58listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler
For a description of the parameters, see:
- Lines 2-8: Enables RBAC. For more information, see Configure Confluent Server Authorizer.
- Lines 11-24: Configures LDAP so that RBAC can use it. For more information, see Configure LDAP Group-Based Authorization for MDS and Configure LDAP Authentication.
- Line 27: Defines listeners and configures HTTPs for brokers. For more information, see Metadata Service Configuration Settings.
- Line 30: Defines private key configuration properties. For more information, see Metadata Service Configuration Settings.
- Lines 33-58: Enables SASL authentication and Kerberos authentication. For more information, see Authenticate with SASL using JAAS and Configuring GSSAPI.