Configuring SPNEGO Authentication and trusted proxies for the Kafka Connect REST API

You can secure the Kafka Connect REST API by enabling SPNEGO authentication. This can be done with the Enable SPNEGO Authentication For Kafka Connect property in Cloudera Manager. If SPNEGO authentication is enabled, only users authenticated with Kerberos are able to access and use the REST API. Additionally, if Ranger authorization is enabled for the Kafka service, authenticated users are only able perform the operations that they are authorized for. If Ranger is not enabled, by default all authenticated users are able to perform all operations. Because users authenticate using Kerberos, securing the REST API using SPNEGO requires that Kerberos is enabled for the Kafka service.

https://[***KAFKA CONNECT HOST***]:28085/connector-permissions?doAs=systest

In this example, systest is specified as the acting user. The doAs parameter is only accepted if the authenticated principal is recognized as a trusted proxy. By default, the Knox and Streams Messaging Manager service principals (specifically, the short names of their Kerberos service principals) are recognized as trusted proxies. Trusted proxies can be configured with the List Of Trusted Proxy Services Cloudera Manager property.