KSQL Security Parameters

Describes KSQL security parameters.

Security parameters provide an authentication, encryption, and impersonation layer between the KSQL clients and the KSQL Server. In secure clusters, KSQL is secured by default.

Requirement: Before you configure KSQL security parameters, verify that an ssl_keystore and an ssl_truststore file have been created.

The following table describes KSQL security parameters:
Parameter Description Type Default
ksql.schema.registry.maprsasl.auth Enable MapR Sasl authentication for Avro format with Schema Registry. boolean false
authentication.cookie.expiration Authentication cookie expiration time in seconds. long 7200 (2 hours)
authorization.enable Set 'true' or 'false' to enable or disable authorization for KSQL service. See KSQL Authorization. boolean false
authentication.enable Whether or not to enable authentication. boolean false
impersonation.enable Whether or not to enable impersonation. If disabled, all manipulation will be performed from the admin of cluster user. See KSQL Impersonation. boolean false
listeners Comma-separated list of listeners that listen for API requests over either HTTP or HTTPS. Each listener must include the protocol, hostname, and port. For example: http://localhost:8084 list none
ssl.cipher.suites A list of SSL cipher suites. This list is a comma-separated list. Leave blank to use Jetty’s default. list none
ssl.cipher.suites.exclude A list of disabled SSL cipher suites. This is a comma-separated list. Leave blank to use Jetty’s default. list
  • TLS_DHE.*
  • TLS_EDH.*
  • .DES.
  • .MD5.
  • .RC4.
ssl.client.auth Specifies whether or not to acquire the HTTPS client to authenticate via the server’s trust store.

This option is not available in KSQL 6.0.

boolean false
ssl.client.authentication Specifies whether or not to acquire the HTTPS client to authenticate via the server’s trust store. Possible values are NONE, REQUESTED, and REQUIRED.

This option is available in KSQL 6.0.

string none
ssl.disabled.protocols The list of SSL protocols that will not be accepted by clients. This is a comma-separated list. list
  • SSLv3
  • TLSv1.0
ssl.enabled.protocols The list of SSL protocols that can be accepted from clients. The list is a comma-separated list. Leave blank to use Jetty’s defaults. list empty
ssl.endpoint.identification.algorithm The endpoint identification algorithm to validate the server hostname using the server certificate. IMPORTANT: Jetty requires that the key's CN, stored in the keystore, must match the FQDN if ssl_endpoint_identification_algorithm=https. Leave blank to use Jetty’s default. string none
ssl.key.password The password of the private key in the keystore file.This parameter should be taken from the /opt/mapr/conf/ssl-client.xml file. If this parameter is not set, the property value is obtained from the ssl-client.xml file.
NOTE
If the ssl-client.xml file is changed, restart KSQL.
string empty
ssl.keymanager.algorithm The algorithm used by the key manager factory for SSL connections. Leave blank to use Jetty’s default. string empty
ssl.keystore.location Location of the keystore file.This parameter should be taken from the /opt/mapr/conf/ssl-client.xml file. If this parameter is not set, the property value is obtained from the ssl-client.xml file.
NOTE
If the ssl-client.xml file is changed, restart KSQL.
string empty
ssl.keystore.password The store password for the keystore file.This parameter should be taken from the /opt/mapr/conf/ssl-client.xml file. If this parameter is not set, the property value is obtained from the ssl-client.xml file.
NOTE
If the ssl-client.xml file is changed, restart KSQL.
string empty
ssl.keystore.type The type of keystore file. string JKS
ssl.protocol The SSL protocol used to generate the SslContextFactory. string TLS
ssl.provider The SSL security provider name. Leave blank to use Jetty’s default. string none
ssl.trustmanager.algorithm The algorithm used by the trust manager factory for SSL connections. Leave blank to use Jetty’s default. string none
ssl.truststore.location Location of the trust store. Required only to authenticate HTTPS clients. string empty
ssl.truststore.password The store password for the trust store file. string empty
ssl.truststore.type The type of trust store file. string JKS
ssl.trustallcerts.enable Set to true if you want to disable certificates verification. boolean false
headers.file The option is used to specify the XML file that contains security and custom headers. The headers will be added to a response by the Jetty server. string empty