Kafka REST 2.0.1: Security Parameters
The following security parameters provide an encryption layer between REST clients and the MapR REST Gateway.
These parameters are configurable in the
kafka-rest.properties file.
/opt/mapr/kafka-rest/kafka-rest-<version>/config/kafka-rest.propertiesNOTE: Ensure that both a
ssl_keystore and a ssl_truststore
file have been created. | Parameter | Description | Type | Default |
|---|---|---|---|
| Listeners | Comma-separated list of listeners that listen for API requests over either HTTP or HTTPS. If a listener uses HTTPS, the appropriate SSL configuration parameters need to be set as well. Each listener must include the protocol, hostname, and port. For example: http://localhost:8082 | N/A | N/A |
rest.proxy.enable.doAs |
Specifies whether or not to enable impersonation for MapR-ES topics. For this to take effect, PAM authentication must be enabled. | boolean | true |
authentication.method |
Specifies whether or not to enable PAM authentication. Set to NONE to disable. | string | BASIC |
authentication.realm |
Specifies realm for PAM authentication. Set to an empty string ("") to disable PAM. Set to jpamLogin to enable authentication | string | jpam |
ssl.cipher.suites |
A list of SSL cipher suites. This list is a comma-separated list. Leave blank to use Jetty’s default. | list | none |
ssl.cipher.suites.exclude |
A list of disabled SSL cipher suites. This is a comma-separated list. | list |
|
ssl.client.auth |
Specifies whether or not to acquire the HTTPS client to authenticate via the server’s trust store. | boolean | false |
ssl.disabled.protocols |
The list of SSL protocols that will not be accepted by clients. This is a comma-separated list. | list |
|
ssl.enabled.protocols |
The list of SSL protocols that can be accepted from clients. The list is a comma-separated list. Leave blank to use Jetty’s defaults. | list | empty |
ssl.endpoint.identification.algorithm |
The endpoint identification algorithm to validate the server hostname using the server certificate. IMPORTANT: Jetty requires that the key's CN, stored in the keystore, must match the FQDN if ssl_endpoint_identification_algorithm=https. Leave blank to use Jetty’s default. | string | none |
ssl.key.password |
The password of the private key in the keystore file. | string | empty |
ssl.keymanager.algorithm |
The algorithm used by the key manager factory for SSL connections. Leave blank to use Jetty’s default. | string | none |
ssl.keystore.location |
Location of the keystore file. | string | empty |
ssl.keystore.password |
The store password for the keystore file. | string | empty |
ssl.keystore.type |
The type of keystore file. | string | JKS |
ssl.protocol |
The SSL protocol used to generate the SslContextFactory. | string | TLSv1.2 |
ssl.provider |
The SSL security provider name. Leave blank to use Jetty’s default. | string | none |
ssl.trustmanager.algorithm |
The algorithm used by the trust manager factory for SSL connections. Leave blank to use Jetty’s default. | string | none |
ssl.truststore.location |
Location of the trust store. Required only to authenticate HTTPS clients. | string | empty |
ssl.truststore.password |
The store password for the trust store file. | string | empty |
ssl.truststore.type |
The type of trust store file. | string | JKS |