Authentication in Cloudera Surveyor for Apache Kafka
Get started with authentication in Cloudera Surveyor. Cloudera Surveyor supports LDAP authentication as the only authentication mechanism.
Cloudera Surveyor supports authentication of its end users. It supports a single authentication method, which is LDAP. While configuring authentication is optional, it is enabled by default. As a result, you must configure LDAP authentication properties during or after installation.
LDAP properties define the LDAP server Cloudera Surveyor uses to authenticate users. The LDAP server you configure must contain entries with valid usernames and passwords. When LDAP authentication is configured, users must provide valid credentials to access the Cloudera Surveyor UI.
Authentication keys and tokens
Cloudera Surveyor uses an authentication key to securely generate authentication tokens. These tokens are sent to clients and are required for subsequent access requests.
The authentication key is a sequence of at least 32 random bytes that you must manually generate, save as a file, and configure using a configuration property. You can use any tool or method to generate the authentication key.
The authentication key is sensitive data. Once configured, it is stored in a Kubernetes Secret and mounted to all Cloudera Surveyor Pods. Because of this, Cloudera recommends following the security guidelines of your organization and restricting access to Cloudera Surveyor for Apache Kafka Secrets and Pods. Use standard Kubernetes access control mechanisms, such as Role-Based Access Control (RBAC), to ensure proper security.
- Delete the file containing the authentication after configuration is complete.
- Update the authentication key on a regular basis. You can update the authentication key at any time through configuration.
Configuring LDAP authentication
Learn how to configure LDAP authentication in Cloudera Surveyor.
- TLS is enabled and configured for Cloudera Surveyor. See Channel encryption (TLS).
- An LDAP server is available that meets the following requirements:
- The server has TLS enabled.
- The server is accessible from the Kubernetes cluster where Cloudera Surveyor for Apache Kafka is deployed.
- Entries containing usernames and passwords are located under a common
base in the directory information tree. Passwords must be stored in the
userPassword
attribute in the user entries.
Updating the authentication key
Learn how to update an authentication key that Cloudera Surveyor uses to generate authentication tokens. Cloudera recommends you update the key regularly. Alternatively, you might need to update the key as a security measure to log out all users.
You update the authentication key by updating
surveyorConfig.surveyor.authentication.keys.active
with a new
key that you generate. Additionally, you temporarily set
surveyorConfig.surveyor.authentication.keys.passive
to the old
key. Having both keys active at the same time is required to ensure a rolling
transition of keys and prevents users from being forced to relogin multiple times.
After the new key is added and active, you remove the old key to deactivate it.
A complete Cloudera Surveyor configuration (a full
values.yaml file with all configured properties) is
required to complete this task. Ensure you have the values file ready. You can
retrieve all values for your installation using the `helm get
values
command.
helm get values cloudera-surveyor \
--namespace [***NAMESPACE***] \
--all
The new authentication key is added. Authentication tokens are now signed with the new key. The old key is no longer accepted. All users are required to relogin.
The new authentication key is sensitive data. Cloudera recommends that you delete the new key file you generated.