Security Configuration Options

Describes Kafka Connect security parameters.

Security mechanisms provide an authentication, encryption, and impersonation layer between the Kafka Connect REST API clients and the Kafka Connect REST Gateway. By default, Kafka Connect is secure when installed on a secure cluster. A secure cluster is a cluster installed with the default security (MapR-SASL) enabled. Default security provides authentication, encryption, and impersonation for Kafka Connect.

Configure security for Kafka Connect through the security parameters in the connect-distributed.properties file.
/opt/mapr/kafka/kafka-<version>/config/connect-distributed.properties
NOTE
Ensure that both a ssl_keystore and a ssl_truststore file have been created.
Table 1. Security Parameters for Kafka Connect
Parameter Description Type Default
listeners Comma-separated list of listeners that listen for API requests over either HTTP or HTTPS. If a listener uses HTTPS, the appropriate SSL configuration parameters need to be set as well. Each listener must include the protocol, hostname, and port. For example: http://localhost:8082 list none
ssl.cipher.suites A list of SSL cipher suites. This list is a comma-separated list. Leave blank to use Jetty’s default. list none
authentication.enable Enable authentication. Data Fabric supports multiple authentication methods at same time: Basic and MapR-SASL. boolean false
authentication.cookie.expiration The option is used to specify expiration time (in seconds) for authentication cookie. long 7200 (2 hours)
impersonation.enable Whether or not to enable impersonation, if disabled - all manipulation will be performed from the admin of cluster user. boolean false
headers.file The option is used to specify XML file that contains security and custom headers. The headers will be added to a response by Jetty server. string none
hadoop.http.authentication.types A list of hadoop authentication types for MultiMechsAuthenticationHandler list maprauth, basic
ssl.cipher.suites.exclude A list of disabled SSL cipher suites. This is a comma-separated list. list
  • TLS_DHE.*
  • TLS_EDH.*
  • .*DES.*
  • .*MD5.*
  • .*RC4.*
ssl.disabled.protocols The list of SSL protocols that will not be accepted by clients. This is a comma-separated list. list
  • SSLv3
  • TLSv1.0
ssl.enabled.protocols The list of SSL protocols that can be accepted from clients. The list is a comma-separated list. Leave blank to use Jetty’s defaults. list empty
ssl.endpoint.identification.algorithm The endpoint identification algorithm to validate the server hostname using the server certificate. IMPORTANT: Jetty requires that the key's CN, stored in the keystore, must match the FQDN if ssl_endpoint_identification_algorithm=https. Leave blank to use Jetty’s default. string none
ssl.key.password The password of the private key in the keystore file. If this parameter is not set, the property value is obtained from the ssl-client.xml file. string empty
ssl.keymanager.algorithm The algorithm used by the key manager factory for SSL connections. Leave blank to use Jetty’s default. string none
ssl.keystore.location Location of the keystore file. If this parameter is not set, the property value is obtained from the ssl-client.xml file. string empty
ssl.keystore.password The store password for the keystore file. If this parameter is not set, the property value is obtained from the ssl-client.xml file. string empty
ssl.keystore.type The type of keystore file. string JKS
ssl.protocol The SSL protocol used to generate the SslContextFactory. string TLSv1.2
ssl.provider The SSL security provider name. Leave blank to use Jetty’s default. string none
ssl.trustmanager.algorithm The algorithm used by the trust manager factory for SSL connections. Leave blank to use Jetty’s default. string none
ssl.truststore.location Location of the trust store. Required only to authenticate HTTPS clients. string empty
ssl.truststore.password The store password for the trust store file. string empty
ssl.truststore.type The type of trust store file. string JKS