Skip to content
This repository has been archived by the owner on Jan 24, 2024. It is now read-only.

Commit

Permalink
Add docs
Browse files Browse the repository at this point in the history
  • Loading branch information
Demogorgon314 committed Jul 17, 2023
1 parent 1dda879 commit 5427099
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 9 deletions.
10 changes: 10 additions & 0 deletions docs/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,16 @@ This section lists configurations about the authentication.
| saslAllowedMechanisms | A set of supported SASL mechanisms exposed by the broker. | PLAIN,<br>OAUTHBEARER | |
| kopOauth2AuthenticateCallbackHandler | The fully qualified name of a SASL server callback handler class that implements the <br>AuthenticateCallbackHandler interface, which is used for OAuth2 authentication. <br>If it is not set, the class will be Kafka's default server callback handler for <br>OAUTHBEARER mechanism: OAuthBearerUnsecuredValidatorCallbackHandler. | | |


## Authorization

This section lists configurations about the authorization.

| Name | Description | Range | Default |
|-------------------------------------------|--------------------------------------------------------------------------------------------------------|-------------|---------|
| kafkaEnableAuthorizationForceGroupIdCheck | Whether to enable authorization force group ID check. Note: It only support for OAuth2 authentication. | true, false | false |


## SSL encryption

|Name|Description|Default|
Expand Down
30 changes: 21 additions & 9 deletions docs/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -253,15 +253,27 @@ If you want to enable the authentication feature for KoP using the `OAUTHBEARER`
</tbody>
</table>

```properties
sasl.login.callback.handler.class=io.streamnative.pulsar.handlers.kop.security.oauth.OauthLoginCallbackHandler
security.protocol=SASL_PLAINTEXT # or security.protocol=SASL_SSL if SSL connection is used
sasl.mechanism=OAUTHBEARER
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule \
required oauth.issuer.url="https://accounts.google.com"\
oauth.credentials.url="file:///path/to/credentials_file.json"\
oauth.audience="https://broker.example.com";
```
```properties
sasl.login.callback.handler.class=io.streamnative.pulsar.handlers.kop.security.oauth.OauthLoginCallbackHandler
security.protocol=SASL_PLAINTEXT # or security.protocol=SASL_SSL if SSL connection is used
sasl.mechanism=OAUTHBEARER
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule \
required oauth.issuer.url="https://accounts.google.com"\
oauth.credentials.url="file:///path/to/credentials_file.json"\
oauth.audience="https://broker.example.com";
```

(4) Config the credentials_file.json.
The `client_id` and `client_secret` is required fields. And the `tenant` and `group_id` is optional fields.
When use `group_id` field and set `kafkaEnableAuthorizationForceGroupIdCheck=true`, then the client will only able to use this group id to consumer.
```json
{
"client_id": "my-id",
"client_secret": "my-secret",
"tenant": "my-tenant",
"group_id": "my-group-id"
}
```

### Authentication for the Schema Registry

Expand Down

0 comments on commit 5427099

Please sign in to comment.