You can restrict which LDAP and OAuth URLs are allowed for internal clients used by
Kafka Connect connectors. Configuring a trusted list of URLs can harden the security of your
deployment and can prevent an attacker from setting malicious values in connector clients.
Configuration is done in Cloudera Manager by setting Java options using an advanced
configuration snippet.
-
In Cloudera Manager, select the Kafka service.
-
Go to Configuration.
-
Find the Kafka Connect Environment Advanced Configuration Snippet
(Safety Valve) property.
-
Add or update the
EXTRA_ARGS environment variable with the
appropriate Java options.
-
To set allowed LDAP URLs, use the
com.cloudera.kafka.ldap.allowed.urls Java
option. For
example:
EXTRA_ARGS=-Dcom.cloudera.kafka.ldap.allowed.urls="http://www.ldap-example-1.com,http://www.ldap-example-2.com"
-
To set allowed OAuth URLs, use the
org.apache.kafka.sasl.oauthbearer.allowed.urls
Java option. For example:
EXTRA_ARGS=-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls="http://www.oauth-example-1.com,http://www.oauth-example-2.com"
-
Click the Save Changes button.
-
Restart the Kafka service.
