Configure Security Properties using Prefixes in Confluent Platform¶
Configuration Parameters¶
Each component and many areas of functionality (for example, audit logging) in Confluent Platform can be configured for security. This table shows what prefixes are used for security configuration properties and where to configure them.
Important
Secrets config.providers
do not propagate to prefixes such as client.*
.
Thus, when using prefixes with secrets you must specify config.providers
and config.providers.securepass.class
. Refer to Using prefixes in secrets configurations for details.
Security Configuration | Prefix | Where to Configure |
---|---|---|
Audit logging | confluent.security.event. |
etc/kafka/server.properties |
Broker | none | etc/kafka/server.properties |
Broker LDAP configurations | ldap. |
etc/kafka/server.properties |
Broker Metadata Service (MDS) back-end configurations | confluent.metadata. |
etc/kafka/server.properties |
Metadata Service (MDS) configurations | confluent.metadata.server. |
etc/kafka/server.properties |
Console Clients | none | client properties (for example, producer.config or consumer.config ) |
Connect workers | none, producer. , consumer. , or admin. |
etc/kafka/connect-distributed.properties |
Control Center | confluent.controlcenter.streams.
confluent.controlcenter.connect.
confluent.controlcenter.ksql. |
etc/confluent-control-center/control-center.properties |
Java Clients | Java clients use static parameters defined in the Javadoc: |
SslConfigs or SaslConfigs in Properties class |
Metrics Reporter | confluent.metrics.reporter. |
etc/kafka/server.properties |
Monitoring Interceptors in clients | confluent.monitoring.interceptor. |
client properties, e.g. producer.config or consumer.config |
Monitoring Interceptors in Connect | producer.confluent.monitoring.interceptor.
consumer.confluent.monitoring.interceptor. |
etc/kafka/connect-distributed.properties |
Monitoring Interceptors in Replicator | src.consumer.confluent.monitoring.interceptor. |
connector JSON file (not the worker properties file) |
Rebalancer | confluent.rebalancer.metrics. |
Pass configuration (e.g. rebalance-metrics-client.properties ) using --config-file |
Replicator |
|
connector JSON file (not the worker properties file) |
REST Proxy | client. |
etc/kafka/kafka-rest.properties |
Schema Registry | kafkastore. |
etc/schema-registry/schema-registry.properties |
ZooKeeper | none | etc/kafka/zookeeper.properties |
Environment Variables for Configuring HTTPS¶
If a component in Confluent Platform needs to connect to a service using HTTPS, for example to an HTTPS-enabled Confluent Schema Registry, you may need to configure the TLS/SSL credentials for that HTTPS connection. This table shows for each component, the name of the environment variable to configure with TLS/SSL credentials for those HTTPS connections.
Component | Environment Variable |
---|---|
Broker | KAFKA_OPTS |
Console Clients | KAFKA_OPTS |
ksqlDB | KSQL_OPTS |
Connect workers | KAFKA_OPTS |
Confluent Rebalancer | REBALANCER_OPTS |
Control Center | CONTROL_CENTER_OPTS |
Schema Registry | SCHEMA_REGISTRY_OPTS |
REST Proxy | KAFKAREST_OPTS |
Additional Environment Variables¶
If you are using the Schema Registry ACL Authorizer with SASL,
pass in the JAAS configuration file using the SECURITY_PLUGINS_OPTS
environment
variable before calling sr-acl-cli
.
export SECURITY_PLUGINS_OPTS=-Djava.security.auth.login.config=/etc/schema-registry/kafka_client_jaas.conf