CONFLUENT PLATFORM
This configuration describes how to combine LDAP authentication for MDS with Kerberos broker authentication, essentially combining the two authentication methods.
Tip
You can store passwords and other configuration data securely using the Confluent CLI confluent secret commands. For more information refer to Secrets Management.
Add the following required configuration options to the etc.kafka.server.properties file. Any content in brackets (<>) must be customized for your environment.
etc.kafka.server.properties
<>
Note
The LDAP configuration attributes in this example reflect a system using Active Directory (AD). If you use a different directory system, contact your LDAP administrator for details.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
############################# Confluent Authorizer Settings ############################# authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT confluent.metadata.server.listeners=http://0.0.0.0:8090 confluent.metadata.server.advertised.listeners=http://localhost:8090 #### Semi-colon separated list of super users in the format <principalType>:<principalName> #### #### For example: super.users=User:admin;User:mds #### super.users=User:<org-super-user>;User:<org-kerberos-principal> ############################# Identity Provider Settings (LDAP) ############################# #### JNDI Connection Settings #### ldap.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory ldap.java.naming.provider.url=ldap://<hostname>:389 #### MDS Authentication Settings #### ldap.java.naming.security.principal=<mds-user-DN> ldap.java.naming.security.credentials=<password> ldap.java.naming.security.authentication=simple #### Client Authentication Settings #### ldap.user.search.base=<user-search-base-DN> ldap.user.name.attribute=sAMAccountName ldap.group.search.base=CN=Users,DC=rbac,DC=confluent,DC=io ldap.group.object.class=group ldap.group.member.attribute.pattern=UID=(.*),OU=Users,DC=EXAMPLE,DC=COM ldap.user.object.class=account ############################# MDS Server Settings ############################# confluent.metadata.server.authentication.method=BEARER ############################# MDS Token Service Settings ############################# confluent.metadata.server.token.key.path=<path-to-mds-token-key.pem> ############################# Listener Settings ############################# listeners=INTERNAL_SASL_PLAINTEXT://:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://:9092 advertised.listeners=INTERNAL_SASL_PLAINTEXT://localhost:9093,EXTERNAL_RBAC_SASL_PLAINTEXT://localhost:9092 inter.broker.listener.name=INTERNAL_SASL_PLAINTEXT ############################# Listener SASL Configuration Settings ############################# listener.security.protocol.map=INTERNAL_SASL_PLAINTEXT:SASL_PLAINTEXT,EXTERNAL_RBAC_SASL_PLAINTEXT:SASL_PLAINTEXT ############################# Broker Internal Listener SASL Configuration Settings ############################# sasl.mechanism.inter.broker.protocol=GSSAPI listener.name.internal_sasl_plaintext.sasl.enabled.mechanisms=GSSAPI listener.name.internal_sasl_plaintext.sasl.kerberos.service.name=kafka listener.name.internal_sasl_plaintext.gssapi.sasl.jaas.config = \ com.sun.security.auth.module.Krb5LoginModule required \ debug=true \ useKeyTab=true \ storeKey=true \ keyTab="<path-to-your-keytab>" \ principal="<org-kerberos-principal>"; (for example: kafka/kafka1.hostname.com@EXAMPLE.COM) ############################# Broker External (Client) Listener SASL Configuration Settings ############################# listener.name.external_rbac_sasl_plaintext.sasl.enabled.mechanisms=OAUTHBEARER listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.jaas.config= \ org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ publicKeyPath="<path-to-your-public-key"; listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler listener.name.external_rbac_sasl_plaintext.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler
For a description of the parameters, see:
Start Confluent Platform.