Configure Confluent Server Authorizer

The Confluent Server Authorizer supports proprietary LDAP group-based and role-based access control (RBAC) authorization as well as the setting of ACLs. Confluent Server Authorizer supports pluggable authorization and group providers, enabling ACLs, LDAP, and RBAC providers to be loaded at runtime.

Note

You can use the Confluent Server Authorizer to configure any of the attributes that you configured previously using the deprecated LDAP Authorizer. If you do so, use the ldap. prefix for each attribute. Do not use the ldap.authorizer. prefix for LDAP attributes when using the Confluent Server Authorizer to configure.

To enable authorization using the Confluent Server Authorizer, set the property authorizer.class.name to io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer in the broker configuration (which is in the server.properties file).

authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer

Confluent Server Authorizer Configuration Reference

The following configuration options are also processed by the Confluent Server Authorizer.

super.users

Semicolon-separated list of principals of super users or super groups who are allowed access to all of the resources for all actions on all hosts. If a resource has no ACLs associated with it, then only super users can access the resource. For an example of how to set this, see Configure Brokers.

  • Type: string
  • Default: “”
  • Importance: medium
allow.everyone.if.no.acl.found

Boolean flag that indicates whether or not everyone is allowed access to a resource if no ACL is found for the user principal or any of the groups to which the user belongs.

Note

Use of the allow.everyone.if.no.acl.found configuration option in production environments is strongly discouraged.

  • If you specify this option based on the assumption that you have ACLs, but then your last ACL is deleted, you essentially open up your Kafka clusters to all users.
  • If you’re using this option to disable ACLs, exercise caution: if someone adds an ACL, all the users who previously had access will lose that access.
  • Type: boolean
  • Default: false
  • Importance: medium
broker.users

Semicolon-separated list of principals of users who are allowed access to all resources on interbroker listeners. Unlike super.users, broker.users only allows requests originating from interbroker listeners. The primary purpose of this option is to bootstrap MDS clusters when using the centralized ACL feature.

  • Type: string
  • Default: “”
  • Importance: medium
confluent.license

Confluent issues a license key to each subscriber. The license key is a short snippet of text that you can copy and paste. Without the license key, you can use Confluent security plugins for a 30-day trial period. If you are a subscriber and don’t have a license key, contact Confluent Support at support@confluent.io.

  • Type: string
  • Default: “”
  • Importance: high
confluent.authorizer.access.rule.providers

List of access rule providers that are enabled. Supported access rule providers are CONFLUENT, KRAFT_ACL, and ZK_ACL (default).

  • Type: list
  • Default: ZK_ACL
  • Importance: medium
confluent.authorizer.init.timeout.ms

The number of milliseconds to wait for the Authorizer to start up and initialize any metadata from Kafka topics. On brokers of the cluster hosting metadata topics, interbroker listeners will be started prior to initialization of Authorizer metadata from Kafka topics.

  • Type: int
  • Default: 600000 [0,…]
  • Importance: low
confluent.http.server.listeners

Use to specify, disable, or change the HTTP listener in the broker for local metadata service and local clusters. This option only applies when MDS is not hosted on this broker. If this broker hosts an embedded HTTP server plugin for metadata that is related to the local cluster, specify a comma-separated list of listener URLs for HTTP server. To bind to all interfaces, specify hostname as 0.0.0.0. Examples of valid listeners are https://0.0.0.0:8090 and http://127.0.0.1:8091. To disable the broker’s HTTP listener, set to a blank value. By default Confluent Server always enables an HTTP metadata listener on port 8090.

  • Type: int
  • Default: https://0.0.0.0:8090
  • Importance: medium

See also:

To view configuration options for group-based authorization using LDAP:

To view configuration details about Confluent Server Authorizer for role-based access control (RBAC):