Configuring custom Kerberos principal for Kafka

In a Kerberos-enabled cluster, the Kafka service uses the kafka principal by default. Changing the default principal and using custom principals is supported. Principals can be configured on a service-wide level in Cloudera Manager with the Kerberos Principal property.

If you are using a custom process user, ensure that the custom Kerberos principal is set to the default Kafka service principal.

Access to Kafka znodes is restricted by default. Configuring the principal is only possible if access to the Kafka znodes in Zookeeper is unlocked. As a result, you must ensure that access to znodes is unlocked. For more information, see Unlocking access to Kafka metadata in Zookeeper.

  1. In Cloudera Manager select the Kafka service.
  2. Go to Configuration.
  3. Find the Kerberos Principal property and enter your principal.
  4. Click Save Changes.
  5. Restart the Kafka service.
The custom principal is configured for Kafka. Kafka uses the configured principal.
  • Restrict znode access. For more information, see Restricting access to Kafka metadata in Zookeeper.
  • If you use Ranger for authorization, update the principal in all resource-based services and policies that use the old principal.

    The exact services and policies you need to update depend on your environment and cluster setup. At minimum you need to update the principal in the Kafka and Solr resource-based services. For more information on updating resource-based services and policies, see Using Ranger to Provide Authorization in CDP

  • Update all Kafka clients to use the new principal.