Configure TLS/SSL client authentication for Kafka brokers

Kafka supports TLS/SSL authentication (two-way authentication). To enable and configure TLS/SSL client authentication, you need to enable TLS/SSL encryption and set client authentication to be required by the brokers.

TLS/SSL authentication for Kafka brokers can be configured with the SSL Client Authentication property. The property has three valid values, required, requested, and none. If set to required, all clients connecting to the broker will be required to authenticate with TLS/SSL. If set to requested, authentication will be requested by the broker, but clients without certificates will still be able to connect. If set to none, no SSL authentication is required.

The authenticated user's identity is determined by how the SSL Client Authentication property is configured and whether a certificate is presented. The following table collects the possible outcomes:
Table 1. SSL Client Authentication options and outcomes
SSL Client Authentication Client certificate is presented Client certificate is not presented
required
  • authentication: successful
  • authenticated user: [***SUBJECT FROM THE CERTIFICATE***]
  • authentication: fails
requested
  • authentication: successful
  • authenticated user: [***SUBJECT FROM THE CERTIFICATE***]
  • authentication: successful
  • authenticated user: ANONYMOUS
none
  • authentication: successful
  • authenticated user: ANONYMOUS
  • authentication: successful
  • authenticated user: ANONYMOUS

If Ranger is used for authorization, the authenticated user's identity is used to determine what operations the client is authorized to carry out. As a result, you must ensure that policies in Ranger are set up accordingly.

Cloudera does not recommend that you set this property to requested. It is only useful in a limited number of scenarios and provides a false sense of security. Clients that present no certificates or present an invalid certificate will still be able to establish a connection, but will authenticate as ANONYMOUS. Depending on how your cluster is configured, the ANONYMOUS user might not have access to the required Kafka resources. This can lead to client failure.

Configure TLS/SSL encryption for the Kafka brokers. For more information, see Configure TLS/SSL encryption for Kafka brokers.
  1. In Cloudera Manager, select the Kafka service.
  2. Go to Configuration.
  3. Find and configure the SSL Client Authentication property based on your cluster and requirements.
    Cloudera Manager Property Description
    SSL Client Authentication

    ssl.client.auth

    Client authentication mode for SSL connections. This configuration has three valid values, required, requested, and none. If set to required, client authentication is required. If set to requested, client authentication is requested and clients without certificates can still connect. If set to none, which is the default value, no client authentication is required
  4. Configure principal mapping rules:
    1. Find the Kafka Broker Advanced Configuration Snippet (Safety Valve) for kafka.properties property.
    2. Add principal mapping rules.
      For example:
      ssl.principal.mapping.rules=RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/L,DEFAULT
      
  5. Click Save Changes.
  6. Restart the Kafka service.
Kafka brokers are configured for TLS/SSL authentication.
Configure your clients for TLS/SSL authentication.