Configuring allowed LDAP and OAuth URLs

Configuring allowed LDAP and OAuth URLs is available from Cloudera Runtime 7.1.9 SP1 CHF 10 or higher. You can restrict which LDAP and OAuth URLs are allowed for internal clients used by Kafka Connect connectors. Configuring a trusted list of URLs can harden the security of your deployment and can prevent an attacker from setting malicious values in connector clients. Configuration is done in Cloudera Manager by setting Java options using an advanced configuration snippet.

  1. In Cloudera Manager, select the Kafka service.
  2. Go to Configuration.
  3. Find the Kafka Connect Environment Advanced Configuration Snippet (Safety Valve) property.
  4. Add or update the EXTRA_ARGS environment variable with the appropriate Java options.
    • To set allowed LDAP URLs, use the com.cloudera.kafka.ldap.allowed.urls Java option. For example:
      EXTRA_ARGS=-Dcom.cloudera.kafka.ldap.allowed.urls="http://www.ldap-example-1.com,http://www.ldap-example-2.com"
    • To set allowed OAuth URLs, use the org.apache.kafka.sasl.oauthbearer.allowed.urls Java option. For example:
      EXTRA_ARGS=-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls="http://www.oauth-example-1.com,http://www.oauth-example-2.com"
  5. Click the Save Changes button.
  6. Restart the Kafka service.