Configuring Authentication with Kerberos
Also available as:
PDF
loading table of contents...

JAAS Configuration File for the Kafka Client

After enabling Kerberos, Ambari sets up a JAAS login configuration file for the Kafka client. Settings in this file will be used for any client (consumer, producer) that connects to a Kerberos-enabled Kafka cluster.

The file is stored at:

/usr/hdp/current/kafka-broker/config/kafka_client_jaas.conf

Ambari adds the following settings to the file. (Note: serviceName=kafka is required for connections from other brokers.)

Kafka client configuration with keytab, for producers:

KafkaClient {
     com.sun.security.auth.module.Krb5LoginModule required
     useKeyTab=true
     keyTab="/etc/security/keytabs/storm.service.keytab"
     storeKey=true
     useTicketCache=false
     serviceName="kafka"
     principal="storm@EXAMPLE.COM";
    };

Kafka client configuration without keytab, for producers:

KafkaClient {
     com.sun.security.auth.module.Krb5LoginModule required
     useTicketCache=true
     renewTicket=true
     serviceName="kafka";
    };

Kafka client configuration for consumers:

KafkaClient {
     com.sun.security.auth.module.Krb5LoginModule required
     useTicketCache=true
     renewTicket=true
     serviceName="kafka";
     };