Security Parameters
Describes Kafka REST security parameters.
Configure security for Kafka REST through the security parameters in the
kafka-rest.properties
file.
/opt/mapr/kafka-rest/kafka-rest-<version>/config/kafka-rest.properties
NOTE Ensure that both a
ssl_keystore
and a ssl_truststore
file have been created. Parameter | Description | Type | Default |
---|---|---|---|
listeners | Comma-separated list of listeners that listen for API requests over either HTTP or HTTPS. Each listener must include the protocol, hostname, and port. For example: http://localhost:8082 | list | none |
rest.proxy.enable.doAs |
Specifies whether or not to enable impersonation for MapR Event Store For Apache Kafka topics. For this to take effect, PAM authentication must be enabled. | boolean | true |
authentication.method |
Specifies whether or not to enable PAM authentication. Set to NONE to disable. | string | BASIC |
authentication.realm |
Specifies realm for PAM authentication. Set to an empty string ("") to disable PAM. Set to jpamLogin to enable authentication | string | jpam |
ssl.cipher.suites | A list of SSL cipher suites. This list is a comma-separated list. Leave blank to use Jetty’s default. | list | none |
ssl.cipher.suites.exclude | A list of disabled SSL cipher suites. This is a comma-separated list. Leave blank to use Jetty’s default. | list |
|
ssl.client.auth | Specifies whether or not to acquire the HTTPS client to authenticate via the server’s trust store. | boolean | false |
ssl.disabled.protocols | The list of SSL protocols that will not be accepted by clients. This is a comma-separated list. | list |
|
ssl.enabled.protocols | The list of SSL protocols that can be accepted from clients. The list is a comma-separated list. Leave blank to use Jetty’s defaults. | list | empty |
ssl.endpoint.identification.algorithm | The endpoint identification algorithm to validate the server hostname using the server certificate. IMPORTANT: Jetty requires that the key's CN, stored in the keystore, must match the FQDN if ssl_endpoint_identification_algorithm=https. Leave blank to use Jetty’s default. | string | none |
ssl.key.password | The password of the private key in the keystore file. This
parameter should be taken from the /opt/mapr/conf/ssl-client.xml file. If this
parameter is not set, the property value is obtained from the ssl-client.xml
file. NOTE If the ssl-client.xml file is changed, Kafka REST must be
restarted. |
string | empty |
ssl.keymanager.algorithm | The algorithm used by the key manager factory for SSL connections. Leave blank to use Jetty’s default. | string | empty |
ssl.keystore.location | Location of the keystore file. This parameter should be
taken from the /opt/mapr/conf/ssl-client.xml file. If this parameter is not set,
the property value is obtained from the ssl-client.xml file. NOTE If the
ssl-client.xml file is changed, Kafka REST must be restarted. |
string | empty |
ssl.keystore.password | The store password for the keystore file. This parameter
should be taken from the /opt/mapr/conf/ssl-client.xml file. If this parameter is
not set, the property value is obtained from the ssl-client.xml file. NOTE If the
ssl-client.xml file is changed, Kafka REST must be restarted. |
string | empty |
ssl.keystore.type | The type of keystore file. | string | JKS |
ssl.protocol | The SSL protocol used to generate the SslContextFactory. | string | TLS-v1.2- |
ssl.provider | The SSL security provider name. Leave blank to use Jetty’s default. | string | none |
ssl.trustmanager.algorithm | The algorithm used by the trust manager factory for SSL connections. Leave blank to use Jetty’s default. | string | none |
ssl.truststore.location | Location of the trust store. Required only to authenticate HTTPS clients. | string | empty |
ssl.truststore.password | The store password for the trust store file. | string | empty |
ssl.truststore.type | The type of trust store file. | string | JKS |
ssl.trustallcerts.enable | Set to true if you want to disable certificates verification. | boolean | false |