![]() SOURCE_HTTP_AUTH_GOOGLEIAM_SERVICE_ACCOUNT_KEY Google Service Account Key in JSON string encoded.SOURCE_HTTP_AUTH_GOOGLEIAM_SERVICE_ACCOUNT Google Service Account name.SOURCE_HTTP_AUTH_TYPE To enable Http Authentication.SOURCE_HTTP_URL HTTP endpoint to retrieve ACL data.You can enable Google OAuth OIDC Token Authentication. io.: get the ACL from an HTTP endpoint.io.: get the ACL from Bitbucket Cloud using the Bitbucket Cloud REST API v2.Great if you have private repos in Bitbucket. io.: get the ACL from Bitbucket Server using the v1 REST API.SOURCE_S3_OBJECTKEY The Object containing the ACL CSV in S3.SOURCE_S3_BUCKETNAME AWS S3 Bucket name.See Access credentials for credentials management. This requires region, bucketname and objectkey. Good for when you have a S3 bucket managed by Terraform or Cloudformation. SOURCE_GITLAB_ACCESSTOKEN GitLab Personal Access Token.SOURCE_GITLAB_FILEPATH Path to the ACL file in GitLab project.Great to get started quickly and store the ACL securely under version control. io.: get the ACL from GitLab using personal access tokens.io.: get the ACL source from a file on disk.io. (default): No source for the ACLs. ![]() ADMIN_CLIENT_SSL_TRUSTSTORE_PASSWORD.ADMIN_CLIENT_SSL_TRUSTSTORE_LOCATION.ADMIN_CLIENT_SASL_JAAS_CONFIG - alternative to system jaas configuration.ADMIN_CLIENT_SECURITY_PROTOCOL - security.protocol.ADMIN_CLIENT_BOOTSTRAP_SERVERS - rvers.Properties below are not provided to client unless environment variable is set: ADMIN_CLIENT_ID - client.id, an id to pass to the server when making requests, for tracing/audit purposes, default kafka-security-manager.No-zookeeper authorizer class on top of Kafka Admin Client is bundled with KSM as io.,Ĭonfigured with options for .admin.AdminClientConfig: AUTHORIZER_ZOOKEEPER_SET_ACL=true (default false): set to true if you want your ACLs in Zookeeper to be secure (you probably do want them to be secure) - when in doubt set as the same as your Kafka brokers.AUTHORIZER_ZOOKEEPER_CONNECT: zookeeper connection string.Default is SimpleAclAuthorizer, configured with Any value less than or equal to 1 here will notify on every failure to refresh.ĪUTHORIZER_CLASS: authorizer class for ACL operations. HTTP timeouts) before a notification is sent. KSM_NUM_FAILED_REFRESHES_BEFORE_NOTIFICATION=1: how many times that the refresh of a Source needs to fail (e.g. If it's set to 0 or negative value, for example -1, then KMS executes ACL synchronization just once and exits KSM_REFRESH_FREQUENCY_MS=10000: how often to check for changes in ACLs in Kafka and in the Source. KSM_EXTRACT_FORMAT=csv: selects which format to extract the ACLs with (defaults to csv, supports also yaml) ![]() KSM_EXTRACT_ENABLE=true: enable extract mode (get all the ACLs from Kafka formatted as a CSV or YAML) The default value is true, which prevents KSM from altering ACLs in Zookeeper KSM_READONLY=false: enables KSM to synchronize from an External ACL source. The default configurations can be overwritten using the following environment variables: Overall we use the lightbend config library to configure this project. Target/universal/stage/bin/kafka-security-manager -Dconfig.file=path/to/nf The csv parser is the default parser and also the fallback one in case no other parser is matched. Your role is to ensure that Kafka Security Manager is never down, as it is now a custodian of your ACL. ![]() This is particularly useful to ensure that 1) ACL changes are correctly applied 2) ACL are not changed in Kafka directly. Notifications: KSM can notify external channels (such as Slack) in order to give feedback to admins when ACLs are changed.Additionally, if for example your external source is GitHub, then PRs, PR approvals and commit history will provide Audit the full log of who did what to the ACLs and when Full auditability: KSM provides the guarantee that ACLs in Kafka are those in the external source.Prevents intruders: if someone were to add ACLs to Kafka using the CLI, they would be reverted by KSM within 10 seconds.Kafka administration is done outside of Kafka: anyone with access to the external ACL source can manage Kafka Security.Zookeeper just contains a copy of the ACLs instead of being the source. Kafka Security Manager (KSM) allows you to manage your Kafka ACLs at scale by leveraging an external source as the source of truth. With Conduktor you can visualize your ACLs in your Apache Kafka cluster! This project is sponsored by Conduktor.io, a graphical desktop user interface for Apache Kafka. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |