Configuring allowed LDAP and OAuth URLs is available from
Cloudera Runtime 7.1.9 SP1 CHF 10 or higher. You can restrict which LDAP and OAuth
URLs are allowed for internal clients used by Kafka Connect connectors. Configuring a
trusted list of URLs can harden the security of your deployment and can prevent an attacker
from setting malicious values in connector clients. Configuration is done in Cloudera
Manager by setting Java options using an advanced configuration snippet.
-
In Cloudera Manager, select the Kafka service.
-
Go to Configuration.
-
Find the Kafka Connect Environment Advanced Configuration Snippet
(Safety Valve) property.
-
Add or update the
EXTRA_ARGS
environment variable with the
appropriate Java options.
-
To set allowed LDAP URLs, use the
com.cloudera.kafka.ldap.allowed.urls
Java
option. For
example:
EXTRA_ARGS=-Dcom.cloudera.kafka.ldap.allowed.urls="http://www.ldap-example-1.com,http://www.ldap-example-2.com"
-
To set allowed OAuth URLs, use the
org.apache.kafka.sasl.oauthbearer.allowed.urls
Java option. For example:
EXTRA_ARGS=-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls="http://www.oauth-example-1.com,http://www.oauth-example-2.com"
-
Click the Save Changes button.
-
Restart the Kafka service.