Configuring Authentication with Kerberos
Also available as:
PDF
loading table of contents...

JAAS Configuration File for the Kafka Server

The Java Authentication and Authorization Service (JAAS) API supplies user authentication and authorization services for Java applications.

After enabling Kerberos, Ambari sets up a JAAS login configuration file for the Kafka server. This file is used to authenticate the Kafka broker against Kerberos. The file is stored at:

/usr/hdp/current/kafka-broker/config/kafka_server_jaas.conf

Ambari adds the following settings to the file. (Note: serviceName="kafka" is required for connections from other brokers.)

KafkaServer {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/etc/security/keytabs/kafka.service.keytab"
       storeKey=true
       useTicketCache=false
       serviceName="kafka" 
       principal="kafka/c6401.ambari.apache.org@EXAMPLE.COM";
       };
       
Client { // used for zookeeper connection
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/etc/security/keytabs/kafka.service.keytab"
       storeKey=true
       useTicketCache=false
       serviceName="zookeeper"
       principal="kafka/c6401.ambari.apache.org@EXAMPLE.COM";
       };