Cloudera Docs

Configuring OAuth authentication

Learn how to configure OAuth authentication for Kafka. OAuth is configured by creating a Kubernetes secret for the Oauth certificate and configuring OAuth for a listener in your Kafka resource.

Enure that you have the following:
  • An OAuth server running that is accessible from the Kafka Kubernetes environment.
  • Both Kafka brokers and clientsare able to access the OAuth server.
  • The TLS certificates of the OAuth server must be available in PEM format.
  • The following attributes of the OAuth environment must be determined:
    • userNameClaim – the claim name which contains the client ID. Typically this is asub, but its OAuth provider dependent.
    • validIssuerUri – it must point to the URL that clients can use to connect to the OAuth server. The value can be obtained from the well-known endpoint of the OAuth server or a JWT token.

To set up OAuth, create a Kubernetes secret for the OAuth certificate. The Strimzi Cluster Operator will mount and use the secret when configuring the listener.

kubectl create secret \
  -n kafka generic <oauth-server-cert-secret> \
  --from-file=<oauth-server-cert.pem>

The following snippet configures a Kafka cluster with an OAuth authenticated listener on port 9093. Notice that the authentication section in the listener config contains all OAuth specific settings.

#...
kind: Kafka
spec:
  kafka:
    listeners:
      - name: oauth
        port: 9093
        type: internal
        tls: false
        authentication:
          type: oauth
          jwksEndpointUri: <uri-from-kafka-brokers-to-oauth-server>
          tlsTrustedCertificates:
            - secretName: <oauth-server-cert-secret>
              certificate: <oauth-server-cert.pem>
          userNameClaim: <user-name-claim>
          validIssuerUri: <uri-from-kafka-clients-to-oauth-server>
          maxSecondsWithoutReauthentication: 3600

Configuring allowed URLs for LDAP authentication

You can restrict which OAuth URLs Kafka is allowed to connect to by setting the org.apache.kafka.sasl.oauthbearer.allowed.urls environment variable. Setting this variable to a trusted list of OAuth servers makes it possible to have stricter control over the OAuth servers Kafka can access.

Configure the variable in your KafkaNodePool resource using spec.jvmOptions.javaSystemProperties. If this variable is left empty, Kafka can connect to any OAuth URL. When configured, only the specified URLs are allowed.

#...
kind: KafkaNodePool
spec:
  jvmOptions:
    javaSystemProperties:
      - name: org.apache.kafka.sasl.oauthbearer.allowed.urls
        value: http://www.oauth-example-1.com,https://www.oauth-example-2.com