CONFLUENT PLATFORM
The broker configuration in the server.properties file must set authorizer.class.name to io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer to enable the Metadata Service (also known as the Confluent Server Authorizer).
server.properties
authorizer.class.name
io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
To retain ACLs (that have already been enabled) and enable RBAC, set confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT.
confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT
For more details about how to configure RBAC, see the Enable RBAC in a Running Cluster.
RBAC supports the following Kafka configurations of the Metadata Service (MDS) back end, which you can override by using the prefixes specified below:
confluent.metadata.topic.
confluent.metadata.admin.
confluent.metadata.coordinator.
confluent.metadata.producer.
confluent.metadata.server.ssl.
confluent.security.event.logger.destination.admin.
confluent.metadata.server.listeners
Binds Metadata Service HTTP or HTTPS service to port.
confluent.metadata.server.advertised.listeners
Configures HTTP or HTTPS service advertised hostname.
confluent.metadata.server.token.max.lifetime.ms
Specifies a token’s maximum configured lifetime in milliseconds.
confluent.metadata.server.token.key.path
Location of the PEM encoded public/private key pair to be used for signing and verifying tokens. Because the token service only supports RS256 signatures, key pairs must be generated using the RSA algorithm.
confluent.metadata.server.token.signature.algorithm
Signature scheme to be used when signing/verifying tokens as defined in (Algorithm) Header Parameter Values for JWS. Only RS256 is currently supported.
Use the following attributes to configure MDS to allow connections over HTTPS.
confluent.metadata.server.ssl.keystore.location
The key store file location. This is optional for client and can be used for two-way authentication for client.
confluent.metadata.server.ssl.keystore.password
The key store file password. Optional for client, and only required if confluent.metadata.server.ssl.keystore.location is configured.
confluent.metadata.server.ssl.key.password
The private key password in the key store file. Optional for client.
confluent.metadata.server.ssl.truststore.location
The trust store file location.
confluent.metadata.server.ssl.truststore.password
The trust store file password. If a password is not set, access to the truststore is still available, but integrity checking is disabled.
The following is an example configuration for setting up HTTPS for MDS. Any content in brackets (<>) must be customized for your environment.
<>
authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT confluent.metadata.server.listeners=https://localhost:8090 confluent.metadata.server.advertised.listeners=https://localhost:8090 confluent.metadata.server.ssl.keystore.location=<path-to-keystore> confluent.metadata.server.ssl.keystore.password=<host-keystore-password> confluent.metadata.server.ssl.key.password=<host-cert-password> confluent.metadata.server.ssl.truststore.location=<path-to-truststore> confluent.metadata.server.ssl.truststore.password=<host-truststore-password>
When logging in to an MDS that is configured for HTTPS, most clients, including the Confluent CLI, automatically pick up trusted certificates from the system truststore. To use self-signed or custom certificates that are not part of the system truststore when using the Confluent CLI, see the --ca-cert-path option in Confluent CLI confluent login.
--ca-cert-path