Configuring connector JAAS configuration and Kerberos principal overrides

Learn how to configure Kafka Connect connectors to override the default JAAS configuration and Kerberos principal that they use to connect to the Kafka service. Configuring these overrides enables you to set up fine grained access rules for the connectors that you deploy.

By default Kafka Connect connectors, specifically the clients managed by Connect, use the JAAS configuration and Kerberos principal of the Connect worker (Kafka Connect role) to establish a connection with the Kafka service. As a result, all connectors that you deploy authenticate with the same principal. Additionally, if authorization is enabled, authorization also happens using that same principal. Because the connectors use the same principal as the worker and because the worker has all permission on the Kafka service, all connectors have full access to Kafka by default.

This behavior might not be desirable and you might want to configure fine grained access rules for individual connectors that you deploy. For example, you might want to have your connectors to be able to manage specific Kafka resources only, but not have access to other resources. To achieve this, you must configure connectors to be required to specify unique connection credentials for the Kafka service connection. Configuration is done in Cloudera Manager using Connector Kafka Client Configuration Override Policy and Require Connectors To Override Kafka Client JAAS Configuration Kafka service properties.

  1. In Cloudera Manager select the Kafka service.
  2. Go to Configuration.
  3. Find and configure the following properties.
    Table 1.
    Property Name Description
    Connector Kafka Client Configuration Override Policy Specifies what client configuration can be overridden by the connector. Its value is the class name or alias of the ConnectorClientConfigOverridePolicy implementation. The framework includes three implementations (policies). These are None, All, and Principal.
    • If set to None, configurations cannot be overridden. This is the default setting.
    • If set to Principal, SASL configurations can be overridden
    • If set to All, all configurations can be overridden
    Require Connectors To Override Kafka Client JAAS Configuration Specifies whether Connector configurations should override the sasl.jaas.config property of the Kafka clients used by the connector. If set to true, connector configurations must override the client's sasl.jaas.config property. The override must also not match the Kerberos credentials of the Connect worker. Additionally, if set to true, a UnionComposite'policy is installed under the connector.client.config.override.policy configuration. If Connector Kafka Client Configuration Override Policy is set to None, it is upgraded to Principal. Otherwise, the existing policy is also applied by the composite policy.
  4. Click Save Changes.
  5. Restart the Kafka service.
  • Update the configuration of all existing connectors to include the sasl.jaas.config property with a valid JAAS configuration.
  • Ensure that the principal specified for the connector has appropriate permissions assigned to it in your authorization service.