Repository: kafka Updated Branches: refs/heads/trunk 0cf770800 -> 83bdcdbae
MINOR: Refer consistently to server.properties in security docs Author: Manikumar Reddy <manikumar.re...@gmail.com> Reviewers: Ismael Juma <ism...@juma.me.uk> Closes #3788 from omkreddy/RULE-DOC Project: http://git-wip-us.apache.org/repos/asf/kafka/repo Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/83bdcdba Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/83bdcdba Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/83bdcdba Branch: refs/heads/trunk Commit: 83bdcdbaef4e594ec5aac0736ffce5d0172c1671 Parents: 0cf7708 Author: Manikumar Reddy <manikumar.re...@gmail.com> Authored: Tue Sep 19 05:33:02 2017 +0100 Committer: Ismael Juma <ism...@juma.me.uk> Committed: Tue Sep 19 05:33:02 2017 +0100 ---------------------------------------------------------------------- docs/security.html | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kafka/blob/83bdcdba/docs/security.html ---------------------------------------------------------------------- diff --git a/docs/security.html b/docs/security.html index dab00dd..3e469b2 100644 --- a/docs/security.html +++ b/docs/security.html @@ -154,7 +154,7 @@ <li>ssl.truststore.type=JKS</li> <li>ssl.secure.random.implementation=SHA1PRNG</li> </ol> - If you want to enable SSL for inter-broker communication, add the following to the broker properties file (it defaults to PLAINTEXT) + If you want to enable SSL for inter-broker communication, add the following to the server.properties file (it defaults to PLAINTEXT) <pre> security.inter.broker.protocol=SSL</pre> @@ -664,13 +664,13 @@ </ol> <h3><a id="security_authz" href="#security_authz">7.4 Authorization and ACLs</a></h3> - Kafka ships with a pluggable Authorizer and an out-of-box authorizer implementation that uses zookeeper to store all the acls. Kafka acls are defined in the general format of "Principal P is [Allowed/Denied] Operation O From Host H On Resource R". You can read more about the acl structure on KIP-11. In order to add, remove or list acls you can use the Kafka authorizer CLI. By default, if a Resource R has no associated acls, no one other than super users is allowed to access R. If you want to change that behavior, you can include the following in broker.properties. + Kafka ships with a pluggable Authorizer and an out-of-box authorizer implementation that uses zookeeper to store all the acls. Kafka acls are defined in the general format of "Principal P is [Allowed/Denied] Operation O From Host H On Resource R". You can read more about the acl structure on KIP-11. In order to add, remove or list acls you can use the Kafka authorizer CLI. By default, if a Resource R has no associated acls, no one other than super users is allowed to access R. If you want to change that behavior, you can include the following in server.properties. <pre>allow.everyone.if.no.acl.found=true</pre> - One can also add super users in broker.properties like the following (note that the delimiter is semicolon since SSL user names may contain comma). + One can also add super users in server.properties like the following (note that the delimiter is semicolon since SSL user names may contain comma). <pre>super.users=User:Bob;User:Alice</pre> - By default, the SSL user name will be of the form "CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown". One can change that by setting a customized PrincipalBuilder in broker.properties like the following. + By default, the SSL user name will be of the form "CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown". One can change that by setting a customized PrincipalBuilder in server.properties like the following. <pre>principal.builder.class=CustomizedPrincipalBuilderClass</pre> - By default, the SASL user name will be the primary part of the Kerberos principal. One can change that by setting <code>sasl.kerberos.principal.to.local.rules</code> to a customized rule in broker.properties. + By default, the SASL user name will be the primary part of the Kerberos principal. One can change that by setting <code>sasl.kerberos.principal.to.local.rules</code> to a customized rule in server.properties. The format of <code>sasl.kerberos.principal.to.local.rules</code> is a list where each rule works in the same way as the auth_to_local in <a href="http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html";>Kerberos configuration file (krb5.conf)</a>. Each rules starts with RULE: and contains an expression in the format [n:string](regexp)s/pattern/replacement/g. See the kerberos documentation for more details. An example of adding a rule to properly translate u...@mydomain.com to user while also keeping the default rule in place is: <pre>sasl.kerberos.principal.to.local.rules=RULE:[1:$1@$0](.*@MYDOMAIN.COM)s/@.*//,DEFAULT</pre>
