JAAS Configuration File for the Kafka Client
After enabling Kerberos, Ambari sets up a JAAS login configuration file for the Kafka client. Settings in this file will be used for any client (consumer, producer) that connects to a Kerberos-enabled Kafka cluster.
The file is stored at:
/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf
Ambari adds the following settings to the file. (Note: serviceName=kafka
is
required for connections from other brokers.)
Kafka client configuration with keytab, for producers:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytabs/storm.service.keytab"
storeKey=true
useTicketCache=false
serviceName="kafka"
principal="storm@EXAMPLE.COM";
};
Kafka client configuration without keytab, for producers:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
renewTicket=true
serviceName="kafka";
};
Kafka client configuration for consumers:
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
renewTicket=true
serviceName="kafka";
};