Starburst Kafka connector#

The Starburst Kafka connector is an extended version of the Kafka Connector with configuration and usage identical. It includes security improvements, since the default security configuration of the Kafka connector does not use authentication or encryption when connecting to a Kafka service.

Note

The additional features of the connector require a valid Starburst Enterprise Presto license, unless otherwise noted.

Security#

The connector includes a number of security-related features, detailed in the following sections.

SSL authentication#

With SSL authentication, the Kafka server authenticates the Presto Kafka connector, also called “2-way authentication”. To use SSL add the following configuration to your catalog file.

kafka.security-protocol=SSL

Set the following configuration properties:

Required settings#

Property name

Description

kafka.ssl.truststore.location

Location of the SSL truststore file.

kafka.ssl.truststore.password

Password to the truststore file.

kafka.ssl.keystore.location

Location of the SSL keystore file.

kafka.ssl.keystore.password

Password to the keystore file.

kafka.ssl.key.password

Password of the private key stored in the keystore file.

Optional setting#

Property name

Description

kafka.endpoint-identification-algorithm

The endpoint identification algorithm used by Presto to validate the server host name. The default value is HTTPS. Presto verifies that the broker host name matches the host name in the broker’s certificate. To disable server host name verification use disabled.

Example configuration with SSL security protocol:

connector.name=kafka
...
kafka.security-protocol=SSL
kafka.ssl.truststore.location=/etc/secrets/kafka.broker.truststore.jks
kafka.ssl.truststore.password=truststore_passwrod
kafka.ssl.keystore.location=/etc/secrets/kafka.broker.keystore.jks
kafka.ssl.keystore.password=keystore_password
kafka.ssl.key.password=private_key_password

Kerberos authentication#

With Kerberos authentication, the Kafka server authenticates the Presto Kafka connector using the Kerberos service. This configuration is using non encrypted (non-encrypted) protocol. Add the following configuration to your catalog properties file to use the Kerberos (GSSAPI with SASL) protocol:

kafka.security-protocol=SASL_PLAINTEXT
kafka.sasl.mechanism=GSSAPI

Set the following required configuration properties:

Required settings#

Property Name

Description

kafka.kerberos.client.principal

Kafka Kerboros client principal.

kafka.kerberos.client.keytab

Kafka Kerberos client keytab location.

kafka.kerberos.config

Kerberos service file location. Typically /etc/krb5.conf.

kafka.kerberos.service-name

The Kerberos principal name of Kafka service.

Example configuration of Kerberos authentication using GSSAPI with SASL:

connector.name=kafka
...
kafka.security-protocol=SASL_PLAINTEXT
kafka.sasl.mechanism=GSSAPI
kafka.kerberos.client.principal=kafka/broker1.your.org@YOUR.ORG
kafka.kerberos.client.keytab=/etc/secrets/kafka_client.keytab
kafka.kerberos.config=/etc/krb5.conf
kafka.kerberos.service-name=kafka

Kerberos authentication with SSL#

With Kerberos authentication, the Kafka server authenticates the Kafka connector using the Kerberos service. This protocol uses SSL encryption.

Add the following configuration to your catalog file to use the Kerberos (GSSAPI with SASL) protocol with SSL.

kafka.security-protocol=SASL_SSL
kafka.sasl.mechanism=GSSAPI

The following configuration properties have to be also set:

Property Name

Description

kafka.kerberos.client.principal

Kafka Kerboros client principal.

kafka.kerberos.client.keytab

Kafka Kerberos client keytab location.

kafka.kerberos.config

Kerberos service file location. Typically /etc/krb5.conf.

kafka.kerberos.service-name

The Kerberos principal name of Kafka service.

kafka.ssl.truststore.location

Location of the SSL truststore file.

kafka.ssl.truststore.password

Password to the truststore file.

kafka.ssl.keystore.location

Location of the SSL keystore file.

kafka.ssl.keystore.password

Password to the keystore file.

kafka.ssl.key.password

Password of the private key stored in the keystore file.

Example configuration of Kerberos authentication using GSSAPI with SASL over SSL:

connector.name=kafka
...
kafka.security-protocol=SASL_SSL
kafka.sasl.mechanism=GSSAPI
kafka.kerberos.client.principal=kafka/broker1.your.org@YOUR.ORG
kafka.kerberos.client.keytab=/etc/secrets/kafka_client.keytab
kafka.kerberos.config=/etc/krb5.conf
kafka.kerberos.service-name=kafka
kafka.ssl.truststore.location=/etc/secrets/kafka.broker.truststore.jks
kafka.ssl.truststore.password=truststore_passwrod
kafka.ssl.keystore.location=/etc/secrets/kafka.broker.keystore.jks
kafka.ssl.keystore.password=keystore_password
kafka.ssl.key.password=private_key_password