Configure Security Properties using Prefixes in Confluent Platform

Configuration Parameters

Each component and many areas of functionality (for example, audit logging) in Confluent Platform can be configured for security. This table shows what prefixes are used for security configuration properties and where to configure them.

Important

Secrets config.providers do not propagate to prefixes such as client.*. Thus, when using prefixes with secrets you must specify config.providers and config.providers.securepass.class. Refer to Using prefixes in secrets configurations for details.

Security Configuration	Prefix	Where to Configure
Audit logging	`confluent.security.event.`	`etc/kafka/server.properties`
Broker	none	`etc/kafka/server.properties`
Broker LDAP configurations	`ldap.`	`etc/kafka/server.properties`
Broker Metadata Service (MDS) back-end configurations	`confluent.metadata.`	`etc/kafka/server.properties`
Metadata Service (MDS) configurations	`confluent.metadata.server.`	`etc/kafka/server.properties`
Console Clients	none	`client properties` (for example, `producer.config` or `consumer.config`)
Connect workers	none, `producer.`, `consumer.`, or `admin.`	`etc/kafka/connect-distributed.properties`
Control Center (Legacy)	`confluent.controlcenter.streams.` `confluent.controlcenter.connect.` `confluent.controlcenter.ksql.`	`etc/confluent-control-center/control-center.properties`
Java Clients	Java clients use static parameters defined in the Javadoc: SSL SASL	SslConfigs or SaslConfigs in Properties class
Metrics Reporter	`confluent.metrics.reporter.`	`etc/kafka/server.properties`
Monitoring Interceptors in clients	`confluent.monitoring.interceptor.`	client properties, e.g. producer.config or consumer.config
Monitoring Interceptors in Connect	`producer.confluent.monitoring.interceptor.` `consumer.confluent.monitoring.interceptor.`	`etc/kafka/connect-distributed.properties`
Monitoring Interceptors in Replicator	`src.consumer.confluent.monitoring.interceptor.`	connector JSON file (not the worker properties file)
Rebalancer	`confluent.rebalancer.metrics.`	Pass configuration (e.g. `rebalance-metrics-client.properties`) using `--config-file`
Replicator	`dest.kafka.` `src.kafka.`	connector JSON file (not the worker properties file)
REST Proxy	`client.`	`etc/kafka/kafka-rest.properties`
Schema Registry	`kafkastore.`	`etc/schema-registry/schema-registry.properties`
ZooKeeper	none	`etc/kafka/zookeeper.properties`

Environment Variables for Configuring HTTPS

If a component in Confluent Platform needs to connect to a service using HTTPS, for example to an HTTPS-enabled Confluent Schema Registry, you may need to configure the TLS/SSL credentials for that HTTPS connection. This table shows for each component, the name of the environment variable to configure with TLS/SSL credentials for those HTTPS connections.

Component	Environment Variable
Broker	`KAFKA_OPTS`
Console Clients	`KAFKA_OPTS`
ksqlDB	`KSQL_OPTS`
Connect workers	`KAFKA_OPTS`
Confluent Rebalancer	`REBALANCER_OPTS`
Control Center (Legacy)	`CONTROL_CENTER_OPTS`
Schema Registry	`SCHEMA_REGISTRY_OPTS`
REST Proxy	`KAFKAREST_OPTS`

Additional Environment Variables

If you are using the Schema Registry ACL Authorizer with SASL, pass in the JAAS configuration file using the SECURITY_PLUGINS_OPTS environment variable before calling sr-acl-cli.

export SECURITY_PLUGINS_OPTS=-Djava.security.auth.login.config=/etc/schema-registry/kafka_client_jaas.conf