REST Proxy Security Plugins in Confluent Platform

Confluent REST Proxy allows producing and consuming messages of different formats through a REST interface. The security plugin provides the capability to authenticate an incoming request, build the principal, and then propagate the same requests to Apache Kafka® using the configured security mechanism. The authorization is enforced through Kafka ACLs, which provide granular access controls based on Kafka’s ACL implementation (such as limiting access to topics, in which case the client principal is propagated to Kafka and has the same access as if connected with that principal in any other client).

When enabled with role-based access control (RBAC) or Kafka REST Security plugins, license clients must be explicitly configured to authenticate to Kafka. To learn more, see Configure license clients to authenticate to Kafka in the Confluent Platform license documentation.



This software is available under a Confluent enterprise license. You can use this software for a 30-day trial period without a license key. If you are a subscriber, contact Confluent Support at for more information.

The Confluent security plugins are an extension to Confluent Platform components. The security plugins are installed by default if you are using ZIP and TAR archives, but must be installed manually if you are using DEB or RPM packages.

The default location for the Confluent REST Proxy Security Plugins is:


ZIP and TAR Archives

If you installed Confluent Platform by using ZIP or TAR archives, the security plugins are installed by default and are located in CONFLUENT_HOME/share/java/ in the individual component directories.

Ubuntu and Debian

If you installed Confluent Platform in a Ubuntu or Debian environment, you must install the plugins separately with this command:

sudo apt-get update && sudo apt-get install confluent-security

RHEL and CentOS

If you installed Confluent Platform in a RHEL, CentOS, or Fedora-based environment, you must install the plugins separately with this command:

sudo yum install confluent-security


After the installation is complete, you must add the following configuration in the Confluent REST Proxy configuration file (/etc/kafka-rest/ to activate the plugins.

Fully qualified class name of a valid implementation of the interface RestResourceExtension. This can be used to inject user defined resources like filters. Typically used to add custom capability like logging, security, etc

  • Type: string
  • Default: “”
  • Importance: low


For information on how to leverage the REST Proxy Security Plugins to propagate credentials from REST Proxy to Kafka brokers, see REST Proxy Credentials Propagation.