By   April 30, 2019

Securing JMX on Confluent Kafka

Confluent kafka process start with these default arguments. You can see that JMX authentication is disabled by default. This is a security vulnerability and might lead to possible issues.

Confluent kafka consists of the following services. We need to enable authentication for all of these services for JMX:

  1. Kafka Broker
  2. Zookeeper
  3. Schema Registry
  4. Kafka Rest
  5. KSQL
  6. Confluent Control Center


Kafka Broker, Zookeeper and Kafka REST use kafka-run-class. We can update it to enable authentication for JMX for these services as follows:


In order to update KSQL, you need to update ksql-run-class in bin folder of your confluent installation as follows:


On the Confluent Control Center (C3) server, following update is required in control-center-run-class:


Schema Registry uses schema-registry-run-class. We can update it as follows:


kafka-rest-run-class is used to run KAFKA REST proxy. It can be updated as follows: