Configuring authentication with Kerberos

Learn how to set up Kerberos authentication for SRM.

Configuring authentication with Kerberos for SRM can be achieved by adding the appropriate configuration properties to your srm.properties configuration file.

  1. Specify the security protocols:
    security.protocol = SASL_PLAINTEXT
  2. Specify the authentication mechanism:
    sasl.mechanism = GSSAPI
  3. Specify the service name:
    sasl.kerberos.service.name = kafka
  4. Configure the JAAS.
    You have two options when configuring the JAAS:
    1. Embed it in the srm.properties file with the sasl.jaas.config property:
      sasl.jaas.config = \
       com.sun.security.auth.module.Krb5LoginModule required \ 
           useKeyTab=true \
           keyTab="path/to/keytab file" \
           storeKey=true \
           useTicketCache=false \
           principal="streamsrepmgr@STREAMANALYTICS.COM";
      
    2. Create a JAAS configuration file containing the properties and pass its location with the SRM_KERBEROS_OPTS environment variable:
      export SRM_KERBEROS_OPTS="-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=/opt/streams-replication-manager/conf/srm-jaas.conf"
      

      For convenience, this and other environment variables can be added to /opt/streams-replication-manager/config/srm-env.sh.