Configuring SPNEGO Authentication and trusted proxies for the Kafka Connect REST API
Learn how you enable SPNEGO authentication and configure trusted proxies for the Kafka Connect REST API.
You can secure the Kafka Connect REST API by enabling SPNEGO authentication. This can be done with the Enable SPNEGO Authentication For Kafka Connect property in Cloudera Manager. If SPNEGO authentication is enabled, only users authenticated with Kerberos are able to access and use the REST API. Additionally, if Ranger authorization is enabled for the Kafka service, authenticated users are only able perform the operations that they are authorized for. If Ranger is not enabled, by default all authenticated users are able to perform all operations. Because users authenticate using Kerberos, securing the REST API using SPNEGO requires that Kerberos is enabled for the Kafka service.
https://[***KAFKA CONNECT HOST***]:28085/connector-permissions?doAs=systest
In this example,
systest is specified as the acting user. The
doAs parameter is only accepted if the authenticated principal is
recognized as a trusted proxy. By default, the Knox and SMM service principals
(specifically, the short names of their Kerberos service principals) are recognized as
trusted proxies. Trusted proxies can be configured with the List Of Trusted Proxy
Services Cloudera Manager property.
Ensure that Kerberos is enabled for the Kafka service. For more information, see Enable Kerberos authentication.
- In Cloudera Manager select the Kafka service.
- Go to Configuration.
- Find and enable the Enable SPNEGO Authentication For Kafka Connect property.
- Find and configure the List Of Trusted Proxy Services
property.Add the Kerberos principal short names of the services that you want to act as trusted proxies.
- Click Save Changes.
- Restart the Kafka service.