Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 83. KafkaClientAuthenticationOAuth schema reference
Used in: KafkaBridgeSpec, KafkaConnectSpec, KafkaMirrorMaker2ClusterSpec, KafkaMirrorMakerConsumerSpec, KafkaMirrorMakerProducerSpec
Full list of KafkaClientAuthenticationOAuth schema properties
To configure OAuth client authentication, set the type property to oauth.
OAuth authentication can be configured using one of the following options:
- Client ID and secret
- Client ID and refresh token
- Access token
- Username and password
- TLS
Client ID and secret
You can configure the address of your authorization server in the tokenEndpointUri property together with the client ID and client secret used in authentication. The OAuth client will connect to the OAuth server, authenticate using the client ID and secret and get an access token which it will use to authenticate with the Kafka broker. In the clientSecret property, specify a link to a Secret containing the client secret.
Example client ID and client secret configuration
Optionally, scope and audience can be specified if needed.
Client ID and refresh token
You can configure the address of your OAuth server in the tokenEndpointUri property together with the OAuth client ID and refresh token. The OAuth client will connect to the OAuth server, authenticate using the client ID and refresh token and get an access token which it will use to authenticate with the Kafka broker. In the refreshToken property, specify a link to a Secret containing the refresh token.
Example client ID and refresh token configuration
Access token
You can configure the access token used for authentication with the Kafka broker directly. In this case, you do not specify the tokenEndpointUri. In the accessToken property, specify a link to a Secret containing the access token. Alternatively, use accessTokenLocation property, and specify a path to the token file.
Example access token only configuration
authentication:
type: oauth
accessToken:
secretName: my-access-token-secret
key: access-token
authentication:
type: oauth
accessToken:
secretName: my-access-token-secret
key: access-tokenExample (service account) access token configuration specifying a mounted file
authentication: type: oauth accessTokenLocation: `/var/run/secrets/kubernetes.io/serviceaccount/token`
authentication:
type: oauth
accessTokenLocation: `/var/run/secrets/kubernetes.io/serviceaccount/token`Username and password
OAuth username and password configuration uses the OAuth Resource Owner Password Grant mechanism. The mechanism is deprecated, and is only supported to enable integration in environments where client credentials (ID and secret) cannot be used. You might need to use user accounts if your access management system does not support another approach or user accounts are required for authentication.
A typical approach is to create a special user account in your authorization server that represents your client application. You then give the account a long randomly generated password and a very limited set of permissions. For example, the account can only connect to your Kafka cluster, but is not allowed to use any other services or login to the user interface.
Consider using a refresh token mechanism first.
You can configure the address of your authorization server in the tokenEndpointUri property together with the client ID, username and the password used in authentication. The OAuth client will connect to the OAuth server, authenticate using the username, the password, the client ID, and optionally even the client secret to obtain an access token which it will use to authenticate with the Kafka broker.
In the passwordSecret property, specify a link to a Secret containing the password.
Normally, you also have to configure a clientId using a public OAuth client. If you are using a confidential OAuth client, you also have to configure a clientSecret.
Example username and password configuration with a public client
Example username and password configuration with a confidential client
Optionally, scope and audience can be specified if needed.
TLS
Accessing the OAuth server using the HTTPS protocol does not require any additional configuration as long as the TLS certificates used by it are signed by a trusted certification authority and its hostname is listed in the certificate.
If your OAuth server uses self-signed certificates or certificates signed by an untrusted certification authority, use the tlsTrustedCertificates property to specify the secrets containing them. The certificates must be in X.509 format.
Example configuration specifying TLS certificates
The OAuth client will by default verify that the hostname of your OAuth server matches either the certificate subject or one of the alternative DNS names. If it is not required, you can disable the hostname verification.
Example configuration to disable TLS hostname verification
83.1. KafkaClientAuthenticationOAuth schema properties
The type property is a discriminator that distinguishes use of the KafkaClientAuthenticationOAuth type from KafkaClientAuthenticationTls, KafkaClientAuthenticationScramSha256, KafkaClientAuthenticationScramSha512, KafkaClientAuthenticationPlain. It must have the value oauth for the type KafkaClientAuthenticationOAuth.
| Property | Property type | Description |
|---|---|---|
| type | string |
Must be |
| clientId | string | OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. |
| username | string | Username used for the authentication. |
| scope | string |
OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default |
| audience | string |
OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, |
| tokenEndpointUri | string | Authorization server token endpoint URI. |
| connectTimeoutSeconds | integer | The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds. |
| readTimeoutSeconds | integer | The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds. |
| httpRetries | integer | The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries. |
| httpRetryPauseMs | integer | The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request. |
| clientSecret | Link to OpenShift Secret containing the OAuth client secret which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. | |
| passwordSecret |
Reference to the | |
| accessToken | Link to OpenShift Secret containing the access token which was obtained from the authorization server. | |
| refreshToken | Link to OpenShift Secret containing the refresh token which can be used to obtain access token from the authorization server. | |
| tlsTrustedCertificates |
| Trusted certificates for TLS connection to the OAuth server. |
| disableTlsHostnameVerification | boolean |
Enable or disable TLS hostname verification. Default value is |
| maxTokenExpirySeconds | integer | Set or limit time-to-live of the access tokens to the specified number of seconds. This should be set if the authorization server returns opaque tokens. |
| accessTokenIsJwt | boolean |
Configure whether access token should be treated as JWT. This should be set to |
| enableMetrics | boolean |
Enable or disable OAuth metrics. Default value is |
| includeAcceptHeader | boolean |
Whether the Accept header should be set in requests to the authorization servers. The default value is |
| accessTokenLocation | string | Path to the token file containing an access token to be used for authentication. |
| clientAssertion | Link to OpenShift secret containing the client assertion which was manually configured for the client. | |
| clientAssertionLocation | string | Path to the file containing the client assertion to be used for authentication. |
| clientAssertionType | string |
The client assertion type. If not set, and either |
| saslExtensions | map | SASL extensions parameters. |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}