You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by ij...@apache.org on 2017/09/19 04:33:14 UTC
kafka git commit: MINOR: Refer consistently to server.properties in
security docs
Repository: kafka
Updated Branches:
refs/heads/trunk 0cf770800 -> 83bdcdbae
MINOR: Refer consistently to server.properties in security docs
Author: Manikumar Reddy <ma...@gmail.com>
Reviewers: Ismael Juma <is...@juma.me.uk>
Closes #3788 from omkreddy/RULE-DOC
Project: http://git-wip-us.apache.org/repos/asf/kafka/repo
Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/83bdcdba
Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/83bdcdba
Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/83bdcdba
Branch: refs/heads/trunk
Commit: 83bdcdbaef4e594ec5aac0736ffce5d0172c1671
Parents: 0cf7708
Author: Manikumar Reddy <ma...@gmail.com>
Authored: Tue Sep 19 05:33:02 2017 +0100
Committer: Ismael Juma <is...@juma.me.uk>
Committed: Tue Sep 19 05:33:02 2017 +0100
----------------------------------------------------------------------
docs/security.html | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kafka/blob/83bdcdba/docs/security.html
----------------------------------------------------------------------
diff --git a/docs/security.html b/docs/security.html
index dab00dd..3e469b2 100644
--- a/docs/security.html
+++ b/docs/security.html
@@ -154,7 +154,7 @@
<li>ssl.truststore.type=JKS</li>
<li>ssl.secure.random.implementation=SHA1PRNG</li>
</ol>
- If you want to enable SSL for inter-broker communication, add the following to the broker properties file (it defaults to PLAINTEXT)
+ If you want to enable SSL for inter-broker communication, add the following to the server.properties file (it defaults to PLAINTEXT)
<pre>
security.inter.broker.protocol=SSL</pre>
@@ -664,13 +664,13 @@
</ol>
<h3><a id="security_authz" href="#security_authz">7.4 Authorization and ACLs</a></h3>
- Kafka ships with a pluggable Authorizer and an out-of-box authorizer implementation that uses zookeeper to store all the acls. Kafka acls are defined in the general format of "Principal P is [Allowed/Denied] Operation O From Host H On Resource R". You can read more about the acl structure on KIP-11. In order to add, remove or list acls you can use the Kafka authorizer CLI. By default, if a Resource R has no associated acls, no one other than super users is allowed to access R. If you want to change that behavior, you can include the following in broker.properties.
+ Kafka ships with a pluggable Authorizer and an out-of-box authorizer implementation that uses zookeeper to store all the acls. Kafka acls are defined in the general format of "Principal P is [Allowed/Denied] Operation O From Host H On Resource R". You can read more about the acl structure on KIP-11. In order to add, remove or list acls you can use the Kafka authorizer CLI. By default, if a Resource R has no associated acls, no one other than super users is allowed to access R. If you want to change that behavior, you can include the following in server.properties.
<pre>allow.everyone.if.no.acl.found=true</pre>
- One can also add super users in broker.properties like the following (note that the delimiter is semicolon since SSL user names may contain comma).
+ One can also add super users in server.properties like the following (note that the delimiter is semicolon since SSL user names may contain comma).
<pre>super.users=User:Bob;User:Alice</pre>
- By default, the SSL user name will be of the form "CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown". One can change that by setting a customized PrincipalBuilder in broker.properties like the following.
+ By default, the SSL user name will be of the form "CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown". One can change that by setting a customized PrincipalBuilder in server.properties like the following.
<pre>principal.builder.class=CustomizedPrincipalBuilderClass</pre>
- By default, the SASL user name will be the primary part of the Kerberos principal. One can change that by setting <code>sasl.kerberos.principal.to.local.rules</code> to a customized rule in broker.properties.
+ By default, the SASL user name will be the primary part of the Kerberos principal. One can change that by setting <code>sasl.kerberos.principal.to.local.rules</code> to a customized rule in server.properties.
The format of <code>sasl.kerberos.principal.to.local.rules</code> is a list where each rule works in the same way as the auth_to_local in <a href="http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html">Kerberos configuration file (krb5.conf)</a>. Each rules starts with RULE: and contains an expression in the format [n:string](regexp)s/pattern/replacement/g. See the kerberos documentation for more details. An example of adding a rule to properly translate user@MYDOMAIN.COM to user while also keeping the default rule in place is:
<pre>sasl.kerberos.principal.to.local.rules=RULE:[1:$1@$0](.*@MYDOMAIN.COM)s/@.*//,DEFAULT</pre>