Security Parameters
Describes Kafka REST security parameters.
By default, Kafka REST is secure when installed on a secure cluster. A secure cluster is a cluster installed with the default security (data-fabric SASL) enabled. Default security provides authentication, encryption, and impersonation for Kafka REST.
Configure security for Kafka REST through the security parameters in the
kafka-rest.properties file.
/opt/mapr/kafka-rest/kafka-rest-<version>/config/kafka-rest.propertiesNOTE Ensure that both a
ssl_keystore and a ssl_truststore
file have been created. | Parameter | Description | Type | Default |
|---|---|---|---|
| authentication.cookie.expiration | Authentication cookie expiration time in seconds. | long | 7200 (2 hours) |
| authentication.enable | Whether or not to enable authentication. | boolean | false |
| impersonation.enable | Whether or not to enable impersonation. If disabled, all manipulation will be performed from the admin of cluster user. | boolean | false |
| listeners | Comma-separated list of listeners that listen for API requests over either HTTP or HTTPS. Each listener must include the protocol, hostname, and port. For example: http://localhost:8082 | list | none |
| ssl.cipher.suites | A list of SSL cipher suites. This list is a comma-separated list. Leave blank to use Jetty’s default. | list | none |
| ssl.cipher.suites.exclude | A list of disabled SSL cipher suites. This is a comma-separated list. Leave blank to use Jetty’s default. | list |
|
| ssl.client.auth | Specifies whether or not to acquire the HTTPS client to authenticate via the server’s trust store. | boolean | false |
| ssl.disabled.protocols | The list of SSL protocols that will not be accepted by clients. This is a comma-separated list. | list |
|
| ssl.enabled.protocols | The list of SSL protocols that can be accepted from clients. The list is a comma-separated list. Leave blank to use Jetty’s defaults. | list | empty |
| ssl.endpoint.identification.algorithm | The endpoint identification algorithm to validate the server hostname using the server certificate. IMPORTANT: Jetty requires that the key's CN, stored in the keystore, must match the FQDN if ssl_endpoint_identification_algorithm=https. Leave blank to use Jetty’s default. | string | none |
| ssl.key.password | The password of the private key in the keystore file. This parameter should
be taken from the /opt/mapr/conf/ssl-client.xml file. If this parameter is not
set, the property value is obtained from the ssl-client.xml file. NOTE If the
ssl-client.xml file is changed, Kafka REST must be restarted. |
string | empty |
| ssl.keymanager.algorithm | The algorithm used by the key manager factory for SSL connections. Leave blank to use Jetty’s default. | string | empty |
| ssl.keystore.location | Location of the keystore file. This parameter should be taken from the
/opt/mapr/conf/ssl-client.xml file. If this parameter is not set, the property
value is obtained from the ssl-client.xml file. NOTE If the ssl-client.xml file is
changed, Kafka REST must be restarted. |
string | empty |
| ssl.keystore.password | The store password for the keystore file. This parameter should be taken
from the /opt/mapr/conf/ssl-client.xml file. If this parameter is not set, the
property value is obtained from the ssl-client.xml file. NOTE If the
ssl-client.xml file is changed, Kafka REST must be restarted. |
string | empty |
| ssl.keystore.type | The type of keystore file. | string | JKS |
| ssl.protocol | The SSL protocol used to generate the SslContextFactory. | string | TLS-v1.2- |
| ssl.provider | The SSL security provider name. Leave blank to use Jetty’s default. | string | none |
| ssl.trustmanager.algorithm | The algorithm used by the trust manager factory for SSL connections. Leave blank to use Jetty’s default. | string | none |
| ssl.truststore.location | Location of the trust store. Required only to authenticate HTTPS clients. | string | empty |
| ssl.truststore.password | The store password for the trust store file. | string | empty |
| ssl.truststore.type | The type of trust store file. | string | JKS |
| ssl.trustallcerts.enable | Set to true if you want to disable certificates verification. | boolean | false |
| headers.file | The option is used to specify the XML file that contains security and custom headers. The headers will be added to a response by the Jetty server. | string | empty |