Securing JMX on Confluent Kafka
Confluent kafka process start with these default arguments. You can see that JMX authentication is disabled by default. This is a security vulnerability and might lead to possible issues.
Confluent kafka consists of the following services. We need to enable authentication for all of these services for JMX:
- Kafka Broker
- Zookeeper
- Schema Registry
- Kafka Rest
- KSQL
- Confluent Control Center
kafka-run-class
Kafka Broker, Zookeeper and Kafka REST use kafka-run-class. We can update it to enable authentication for JMX for these services as follows:
ksql-run-class
In order to update KSQL, you need to update ksql-run-class in bin folder of your confluent installation as follows:
control-center-run-class
On the Confluent Control Center (C3) server, following update is required in control-center-run-class:
schema-registry-run-class
Schema Registry uses schema-registry-run-class. We can update it as follows:
kafka-rest-run-class
kafka-rest-run-class is used to run KAFKA REST proxy. It can be updated as follows: