Kafka Connect API Security

Learn about Kafka Connect API and how to configure it.

You can secure the Kafka Connect API by configuring the Kafka Connect roles to require SSL Client authentication. This can be done by setting the SSL Client Authentication property to required. When set to required, only clients that pass SSL client authentication will be able to access the Kafka Connect API. As a result, any client that you would like to give access to should have its certificate added to the Kafka Connect truststore. This includes Streams Messaging Manager (SMM) as well. Cloudera recommends that in secure environments only SMM is given access to the Kafka Connect API.

In addition to setting client authentication to required, you may also want to consider setting up a firewall using third party tools to further secure access to the Kafka Connect API. Note however, that even with a firewall in place and SSL authentication set to required, if SMM is given access to the Kafka Connect API, then any user that has access to SMM will be able to interact with the Kafka Connect API. This is due to SMM not enforcing authorization checks when users are accessing Kafka Connect functionality within SMM. This is true for both the SMM UI and SMM REST API. As a result, caution is advised even if the Kafka Connect API itself is secured.

Complete the following steps to set SSL Client Authentication to required.

  1. Select the Kafka Service.
  2. Go to Configuration.
  3. Find the SSL Client Authentication property.
  4. Set the property to required.
  5. Click Save Changes.
  6. Restart the service.
Only authenticated clients are allowed to connect to the Kafka Connect API.
If you are using SMM to manage and monitor Kafka Connect, and you are not using auto TLS, add SMM’s certificate to the Kafka Connect truststore.