Learn about KRaft security and security configuration in CDP.
When you deploy Kafka in KRaft mode a set of specialized broker roles, KRaft Controller roles, are deployed on your cluster. KRaft Controllers communicate with brokers to serve their requests and to manage Kafka’s metadata. The connection between controllers and brokers can be secured using TLS/SSL encryption, TLS/SSL authentication, and/or Kerberos authentication.
By default KRaft Controllers inherit the security configuration of the parent Kafka service. For example, if TLS/SSL is enabled for Kafka, then Cloudera Manager automatically enables TLS/SSL for the KRaft Controllers in the cluster. As a result, if you configure security for the Kafka service, no additional configuration is required to secure KRaft Controllers.
However, if required, some security properties related to encryption and authentication can be configured separately for KRaft Controllers.
- TLS/SSL encryption and authentication
TLS/SSL configuration can be configured separately as the KRaft Controller role has its own set of TLS/SSL properties. You can enable or disable TLS/SSL as well as configure the key and truststore that the KRaft Controller roles use. For more information see, Configuring TLS/SSL for KRaft Controllers.
- Kerberos authentication
Kerberos cannot be enabled or disabled separately for KRaft Controllers. The default Kerberos principal for KRaft controllers, the
kraftuser, can be changed using the Role-Specific Kerberos Principal Kafka service property.
In addition to encryption and authentication, the default principal that KRaft Controllers run as is integrated with Ranger. For more information on the default policies set up for the user, see KRaft Ranger authorization.
Configuring TLS/SSL for KRaft Controllers
Learn how to configure TLS/SSL for KRaft Controllers.
- In Cloudera Manager, select the Kafka service.
- Go to Configuration.
Find and configure the following properties based on your cluster and
Table 1. KRaft TLS/SSL configuration properties Cloudera Manager Property Description
Enable TLS/SSL for Kraft Controller
Encrypt communication between clients and KRaft Controller using Transport Layer Security (TLS) (formerly known as Secure Socket Layer (SSL)).
KRaft Controller TLS/SSL Server JKS Keystore File Location
The path to the TLS/SSL keystore file containing the server certificate and private key used for TLS/SSL. Used when KRaft Controller is acting as a TLS/SSL server. The keystore must be in the format specified in.
KRaft Controller TLS/SSL Server JKS Keystore File Password
The password for the KRaft Controller keystore file.
KRaft Controller TLS/SSL Server JKS Keystore Key Password
The password that protects the private key contained in the keystore used when KRaft Controller is acting as a TLS/SSL server.
KRaft Controller TLS/SSL Trust Store File
The location on disk of the trust store, in .jks format, used to confirm the authenticity of TLS/SSL servers that KRaft Controller might connect to. This trust store must contain the certificate(s) used to sign the service(s) connected to. If this parameter is not provided, the default list of well-known certificate authorities is used instead.
KRaft Controller TLS/SSL Trust Store Password
The password for the KRaft Controller TLS/SSL Trust Store File. This password is not required to access the trust store; this field can be left blank. This password provides optional integrity checking of the file. The contents of trust stores are certificates, and certificates are public information.
SSL Client Authentication
Client authentication mode for SSL connections. This configuration has three valid values, required, requested, and none. If set to required, client authentication is required. If set to requested, client authentication is requested and clients without certificates can still connect. If set to none, which is the default value, no client authentication is required.
- Click Save Changes.
- Restart the Kafka service.
KRaft Ranger authorization
Learn how KRaft integrates with Ranger as well as the default policies and permissions set up for KRaft.
KRaft in CDP uses the KafkaRangerAuthorizer to authorize requests coming from other entities. In KRaft mode, Kafka brokers forward requests to the controllers and the controllers authorize these requests.
Kraft Controllers run as the
kraft user. By default, the Kafka resource-based
service in Ranger includes a
kraft internal - topic policy. This policy grants
all permission on the
__cluster_metadata topic for the
user as well as Describe, Describe Configs, and Consume permissions for the
kafka user (default user for brokers). By default, other users do not have
access to the
In addition, the
kraft user is added to all default Kafka policies that grant
all permissions on Kafka resources.