Configure Kafka LDAP authentication for Kafka clients
Learn how to configure Kafka clients for LDAP authentication.
You can enable Kafka to use LDAP credentials for client to broker authentication.
Client configuration is done by adding the required properties to the client's
client.properties file.
Clients connecting to CDP Data Hub provisioned clusters require a
Cloudera Data Platform user account that provides access to the
required Cloudera Data Platform resources. Verify that a Cloudera Data Platform user account with the required roles and
permissions is available for use. If not, create one. Any type of Cloudera Data Platform user account can be used. If you are creating a new
account to be used by Kafka clients, Cloudera recommends that you create a machine user
account. For more information, see User Management in the Cloudera Management Console documentation.
In addition to the Cloudera Data Platform user account having access
to the required Cloudera Data Platform resources, the user account also
needs to have the correct policies assigned to it in Ranger. Otherwise, the client cannot
perform tasks on Kafka resources. These policies are specified within the Ranger instance
that provides authorization to the Kafka service you want to connect to. For more
information, see the Cloudera Runtime documentation on Apache Ranger and the
Kafka specific Ranger documentation.
If you are transitioning from PAM to LDAP, ensure that the usernames you specify in the
client configuration are short names. Usernames that include the realm/domain are not
supported.
Set the SASL mechanism to PLAIN.
Add the following property to the
client.properties file.
sasl.mechanism=PLAIN
Configure the security protocol.
You can either use
SASL_SSL or SASL_PLAINTEXT. Which security protocol
you use will depend on whether or not SSL encryption is enabled on the broker. Add one of
the following properties to the client.properties file.
If encryption is enabled, use
SASL_SSL:
security.protocol=SASL_SSL
If encryption is not enabled, use
SASL_PLAINTEXT:
security.protocol=SASL_PLAINTEXT
Configure the JAAS.
You have two options when configuring the
JAAS:
Embed the required properties in the client.properties file
with the sasl.jaas.config property.
Replace [***USERNAME***] and
[***PASSWORD***] with the credentials of the Cloudera Data Platform user you set up for the client in Management Console. For the username, ensure that you use short names.
Specifying usernames that contain the realm/domain are not supported.
Use a separate JAAS config file:
Add a KafkaClient entry with a login module item to your JAAS configuration
file.
Replace
[***USERNAME***] and [***PASSWORD***]
with the credentials of the Cloudera Data Platform user you
set up for the client in Management Console. For the username,
ensure that you use short names. Specifying usernames that contain the
realm/domain are not supported.
Pass the location of your JAAS configuration file as a JVM parameter through a
command line
interface
export KAFKA_OPTS="-Djava.security.auth.login.config=[***PATH TO JAAS.CONF***]"
Replace
[***PATH TO JAAS.CONF***] with the location of the JAAS
configuration file you created.