# 5.Security ## 2.5.1 Overview If your Kafka cluster has set security authentication, you need to set the corresponding security authentication information in EFAK. * SASL/GSSAPI (Kerberos) * SASL/PLAIN * SASL/SCRAM-SHA-256 * SASL/OAUTHBEARER * SSL * CGROUPS (SASL & SSL) ## 2.5.2 Kerberos EFAK `system-config.properties` file setting: ```bash ###################################### # kafka sasl authenticate ###################################### cluster1.efak.sasl.enable=true cluster1.efak.sasl.protocol=SASL_PLAINTEXT cluster1.efak.sasl.mechanism=GSSAPI cluster1.efak.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_client.keytab" principal="kafka-eagle.org@EXAMPLE.COM"; # make sure there is a local ticket cache "klist -l" to view # cluster1.efak.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true renewTicket=true serviceName="kafka-eagle.org"; # if your kafka cluster doesn't require it, you don't need to set it up # cluster1.efak.sasl.client.id= ``` ## 2.5.3 PLAIN EFAK `system-config.properties` file setting: ```bash ###################################### # kafka sasl authenticate ###################################### cluster1.efak.sasl.enable=true cluster1.efak.sasl.protocol=SASL_PLAINTEXT cluster1.efak.sasl.mechanism=PLAIN cluster1.efak.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="kafka" password="kafka-eagle"; # if your kafka cluster doesn't require it, you don't need to set it up # cluster1.efak.sasl.client.id= ``` ## 2.5.4 SCRAM-SHA-256 EFAK system-config.properties file setting: ```bash ###################################### # kafka sasl authenticate ###################################### cluster1.efak.sasl.enable=true cluster1.efak.sasl.protocol=SASL_PLAINTEXT cluster1.efak.sasl.mechanism=SCRAM-SHA-256 cluster1.efak.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="kafka" password="kafka-eagle"; # if your kafka cluster doesn't require it, you don't need to set it up # cluster1.efak.sasl.client.id= ``` ## 2.5.5 OAUTHBEARER If you use this authentication, you need to make sure that your Kafka cluster version is after `2.x`, EFAK `system-config.properties` file setting: ```bash ###################################### # kafka sasl authenticate ###################################### cluster1.efak.sasl.enable=true cluster1.efak.sasl.protocol=SASL_PLAINTEXT cluster1.efak.sasl.mechanism=OAUTHBEARER cluster1.efak.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required unsecuredLoginStringClaim_sub="kafka-eagle"; # if your kafka cluster doesn't require it, you don't need to set it up # cluster1.efak.sasl.client.id= ``` ## 2.5.6 SSL If you use this authentication(ssl), you need to make sure that your Kafka cluster version is after `2.x`, EFAK `system-config.properties` file setting: ```bash ###################################### # kafka ssl authenticate ###################################### cluster3.efak.ssl.enable=true cluster3.efak.ssl.protocol=SSL # kafka server.properties "ssl.truststore.location" value cluster3.efak.ssl.truststore.location=/data/kafka/ssl/certificates/kafka.truststore # kafka server.properties "ssl.truststore.password" value cluster3.efak.ssl.truststore.password=ke123456 # kafka server.properties "ssl.keystore.location" value cluster3.efak.ssl.keystore.location=/data/kafka/ssl/certificates/kafka.keystore # kafka server.properties "ssl.keystore.password" value cluster3.efak.ssl.keystore.password=ke123456 # kafka server.properties "ssl.endpoint.identification.algorithm" value cluster3.efak.ssl.endpoint.identification.algorithm=https # kafka server.properties "ssl.key.password" value cluster3.efak.ssl.key.password=ke123456 ``` ## 2.5.7 CGroups When using permission authentication (such as SASL Or SSL), the user you are using only supports managing a limited number of kafka topics. You can enable the following properties: ```bash # SASL cluster1.efak.sasl.cgroup.enable=true cluster1.efak.sasl.cgroup.topics=topic1,topic2,topic3 # SSL cluster2.efak.ssl.cgroup.enable=true cluster2.efak.ssl.cgroup.topics=topic4,topic5,topic6 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.kafka-eagle.org/2.installation/5.security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.