Configure TLS/SSL client authentication for Kafka brokers
Kafka supports TLS/SSL authentication (two-way authentication). To enable and configure TLS/SSL client authentication, you need to enable TLS/SSL encryption and set client authentication to be required by the brokers.
TLS/SSL authentication for Kafka brokers can be configured with the SSL Client Authentication property. The property has three valid values, required, requested, and none. If set to required, all clients connecting to the broker will be required to authenticate with TLS/SSL. If set to requested, authentication will be requested by the broker, but clients without certificates will still be able to connect. If set to none, no SSL authentication is required.
|SSL Client Authentication||Client certificate is presented||Client certificate is not presented|
If Ranger is used for authorization, the authenticated user's identity is used to determine what operations the client is authorized to carry out. As a result, you must ensure that policies in Ranger are set up accordingly.
Cloudera does not recommend that you set this property to requested. It is only useful in a limited number of scenarios and provides a false sense of security. Clients that present no certificates or present an invalid certificate will still be able to establish a connection, but will authenticate as ANONYMOUS. Depending on how your cluster is configured, the ANONYMOUS user might not have access to the required Kafka resources. This can lead to client failure.
- In Cloudera Manager, select the Kafka service.
- Go to Configuration.
- Find and configure the SSL Client Authentication property
based on your cluster and requirements.
Cloudera Manager Property Description SSL Client Authentication
Client authentication mode for SSL connections. This configuration has three valid values, required, requested, and none. If set to required, client authentication is required. If set to requested, client authentication is requested and clients without certificates can still connect. If set to none, which is the default value, no client authentication is required
- Configure principal mapping rules:
- Find the Kafka Broker Advanced Configuration Snippet (Safety Valve) for kafka.properties property.
- Add principal mapping rules.For example:
- Click Save Changes.
- Restart the Kafka service.