10.10. Starburst Kafka Connector#

The Starburst Kafka Connector is an extended version of the Kafka Connector with configuration and usage identical. It includes security improvements, since the default security configuration of the Kafka connector does not use authentication or encryption when connecting to a Kafka service.

SSL Authentication#

With SSL authentication, the Kafka server authenticates the Presto Kafka connector, also called “2-way authentication”. To use SSL add the following configuration to your catalog file.

kafka.security-protocol=SSL

The following configuration properties have to be also set:

Property Name

Description

kafka.ssl.truststore.locatfion

Location of the SSL truststore file.

kafka.ssl.truststore.password

Password to the truststore file.

kafka.ssl.keystore.location

Location of the SSL keystore file.

kafka.ssl.keystore.password

Password to the keystore file.

kafka.ssl.key.password

Password of the private key stored in the keystore file.

Example configuration with SSL security protocol:

connector.name=kafka
...
kafka.security-protocol=SSL
kafka.ssl.truststore.location=/etc/secrets/kafka.broker.truststore.jks
kafka.ssl.truststore.password=truststore_passwrod
kafka.ssl.keystore.location=/etc/secrets/kafka.broker.keystore.jks
kafka.ssl.keystore.password=keystore_password
kafka.ssl.key.password=private_key_password

Kerberos (SASL) Authentication#

With SASL authentication, the Kafka server authenticates the Presto Kafka connector using the Kerberos service. This configuration is using non encrypted (non-encrypted) protocol. To use Kerberos (SASL) protocol add the following configuration to your catalog file.

kafka.security-protocol=SASL_PLAINTEXT

The following configuration properties have to be also set:

Property Name

Description

kafka.kerberos.client.principal

Kafka Kerboros client principal.

kafka.kerberos.client.keytab

Kafka Kerberos client keytab location.

kafka.kerberos.config

Kerberos service file location. Typically /etc/krb5.conf.

kafka.kerberos.service-name

The Kerberos principal name of Kafka service.

Example configuration with SASL security protocol:

connector.name=kafka
...
kafka.security-protocol=SASL_PLAINTEXT
kafka.kerberos.client.principal=kafka/broker1.your.org@YOUR.ORG
kafka.kerberos.client.keytab=/etc/secrets/kafka_client.keytab
kafka.kerberos.config=/etc/krb5.conf
kafka.kerberos.service-name=kafka

Kerberos (SASL) Authentication with SSL#

With SASL authentication, the Kafka server authenticates the Presto Kafka connector using the Kerberos service. This protocol uses SSL encryption.

To use Kerberos (SASL) with SSL protocol add the following configuration to your catalog file.

kafka.security-protocol=SASL_SSL

The following configuration properties have to be also set:

Property Name

Description

kafka.kerberos.client.principal

Kafka Kerboros client principal.

kafka.kerberos.client.keytab

Kafka Kerberos client keytab location.

kafka.kerberos.config

Kerberos service file location. Typically /etc/krb5.conf.

kafka.kerberos.service-name

The Kerberos principal name of Kafka service.

kafka.ssl.truststore.location

Location of the SSL truststore file.

kafka.ssl.truststore.password

Password to the truststore file.

kafka.ssl.keystore.location

Location of the SSL keystore file.

kafka.ssl.keystore.password

Password to the keystore file.

kafka.ssl.key.password

Password of the private key stored in the keystore file.

Example configuration with SASL_SSL security protocol:

connector.name=kafka
...
kafka.security-protocol=SASL_SSL
kafka.kerberos.client.principal=kafka/broker1.your.org@YOUR.ORG
kafka.kerberos.client.keytab=/etc/secrets/kafka_client.keytab
kafka.kerberos.config=/etc/krb5.conf
kafka.kerberos.service-name=kafka
kafka.ssl.truststore.location=/etc/secrets/kafka.broker.truststore.jks
kafka.ssl.truststore.password=truststore_passwrod
kafka.ssl.keystore.location=/etc/secrets/kafka.broker.keystore.jks
kafka.ssl.keystore.password=keystore_password
kafka.ssl.key.password=private_key_password