Configure Kerberos Authentication for Brokers Running MDS

This configuration describes how to combine LDAP authentication for MDS with Kerberos broker authentication, essentially combining the two authentication methods.

Prerequisites

• The prerequisites for configuring Kerberos authentication for MDS are the same as the prerequisites for configuring MDS. See Configure Metadata Service (MDS) in Confluent Platform.
• Create a user for the Kafka broker.
• Generate the keytab. See Configure GSSAPI in Confluent Platform clusters.
• Create a PEM key pair.

Tip

You can store passwords and other configuration data securely using the Confluent CLI confluent secret commands. For more information refer to Manage Secrets in Confluent Platform.

1. Add the following required configuration options to the etc.kafka.server.properties file. Any content in brackets (<>) must be customized for your environment.

   Note

   The LDAP configuration attributes in this example reflect a system using Active Directory (AD). If you use a different directory system, contact your LDAP administrator for details.

    ############################# Confluent Authorizer Settings #############################
    authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT
    confluent.metadata.server.listeners=http://0.0.0.0:8090
    confluent.metadata.server.advertised.listeners=http://localhost:8090
    #### Semi-colon separated list of super users in the format <principalType>:<principalName> ####
    #### For example: super.users=User:admin;User:mds ####
    super.users=User:<org-super-user>;User:<org-kerberos-principal>
   
    ############################# Identity Provider Settings (LDAP) #############################
    #### JNDI Connection Settings ####
    ldap.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
    ldap.java.naming.provider.url=ldap://<hostname>:389
    ####  MDS Authentication Settings ####
    ldap.java.naming.security.principal=<mds-user-DN>
    ldap.java.naming.security.credentials=<password>
    ldap.java.naming.security.authentication=simple
    #### Client Authentication Settings ####
    ldap.user.search.base=<user-search-base-DN>
    ldap.user.name.attribute=sAMAccountName
    ldap.group.search.base=CN=Users,DC=rbac,DC=confluent,DC=io
    ldap.group.object.class=group
    ldap.group.member.attribute.pattern=UID=(.*),OU=Users,DC=EXAMPLE,DC=COM
    ldap.user.object.class=account
   
    ############################# MDS Server Settings #############################
    confluent.metadata.server.authentication.method=BEARER
   
    ############################# MDS Token Service Settings #############################
    confluent.metadata.server.token.key.path=<path-to-token-key-pair.pem>
   
    ############################# Listener Settings #############################
    listeners=INTERNAL_SASL_PLAINTEXT://:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://:9092
    advertised.listeners=INTERNAL_SASL_PLAINTEXT://localhost:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://localhost:9092
    inter.broker.listener.name=INTERNAL_SASL_PLAINTEXT
   
    ############################# Listener SASL Configuration Settings #############################
    listener.security.protocol.map=INTERNAL_SASL_PLAINTEXT:SASL_PLAINTEXT,EXTERNAL_RBAC_SASL_PLAINTEXT:SASL_PLAINTEXT
   
    ############################# Broker Internal Listener SASL Configuration Settings #############################
    sasl.mechanism.inter.broker.protocol=GSSAPI
    listener.name.internal_sasl_plaintext.sasl.enabled.mechanisms=GSSAPI
    listener.name.internal_sasl_plaintext.sasl.kerberos.service.name=kafka
    listener.name.internal_sasl_plaintext.gssapi.sasl.jaas.config = \
      com.sun.security.auth.module.Krb5LoginModule required \
      debug=true \
      useKeyTab=true \
      storeKey=true \
      keyTab="<path-to-your-keytab>" \
      principal="<org-kerberos-principal>"; (for example: kafka/kafka1.hostname.com@EXAMPLE.COM)
   
   ############################# Broker External (Client) Listener SASL Configuration Settings #############################
   listener.name.external_rbac_sasl_plaintext.sasl.enabled.mechanisms=OAUTHBEARER
   listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.jaas.config= \
     org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
     publicKeyPath="<path-to-your-public-key";
   listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler
   listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler
   

   For a description of the parameters, see:

   • Lines 2-8: Enables RBAC. For more information, see Configure Confluent Server Authorizer in Confluent Platform.
   • Lines 11-24: Configures LDAP so that RBAC can use it. For more information, see Configure LDAP Group-Based Authorization for MDS and Configure LDAP Authentication.
   • Line 27: Defines listeners and configures HTTPs for brokers. For more information, see Metadata Service Configuration Settings.
   • Line 30: Defines private key configuration properties. For more information, see Metadata Service Configuration Settings.
   • Lines 33-58: Enables SASL authentication and Kerberos authentication. For more information, see SASL and Configure GSSAPI in Confluent Platform clusters.

2. Start Confluent Platform.