Admin REST APIs Configuration Options for Confluent Server

The Admin REST APIs in Confluent Server use the Java clients to talk with Confluent Server internally. This is the same behavior as Confluent REST Proxy. In addition to the settings described here, you can override the default settings used by the Java clients, by using the prefixes kafka.rest.client. or kafka.rest.admin..

All settings that start with confluent.http.server. can be prefixed with confluent.metadata.server. instead. For example, setting either confluent.http.server.ssl.keystore.type=JKS or confluent.metadata.server.ssl.keystore.type=JKS has the same effect. The only exception is confluent.http.server.listeners (enables the embedded HTTP Server but MDS is skipped) and confluent.metadata.server.listeners (enables MDS).

General

confluent.http.server.listeners

Comma-separated list of listeners that listen for API requests over either HTTP or HTTPS. If a listener uses HTTPS, the appropriate TLS configuration parameters must aslo be set. If confluent.metadata.server.listeners is used instead of confluent.http.server.listeners, then the Metadata Service will also be enabled on the same listener.

  • Type: list
  • Default: http://0.0.0.0:8090
  • Importance: high
confluent.http.server.shutdown.graceful.ms

Amount of time to wait after a shutdown request for outstanding requests to complete.

  • Type: int
  • Default: 1000
  • Importance: low
kafka.rest.bootstrap.servers

A list of Kafka brokers to connect to. For example, PLAINTEXT://hostname:9092,SSL://hostname2:9092. This setting defaults to the interbroker listener of the broker in which the REST Proxy is running. You can change it in cases where you want the REST Proxy to talk to Kafka through a different listener, for example, because of security.

  • Type: list
  • Default: interbroker listener, e.g. PLAINTEXT://localhost:9091
  • Importance: medium
kafka.rest.access.control.allow.methods

Set value to Jetty Access-Control-Allow-Origin header for specified methods.

  • Type: string
  • Default: “”
  • Importance: low
kafka.rest.access.control.allow.origin

Set value for Jetty Access-Control-Allow-Origin header.

  • Type: string
  • Default: “”
  • Importance: low
kafka.rest.debug

Indicates whether extra debugging information is generated in some error response entities.

  • Type: boolean
  • Default: false
  • Importance: low
kafka.rest.request.logger.name

Name of the SLF4J logger to write the NCSA Common Log Format request log.

  • Type: string
  • Default: io.confluent.rest-utils.request
  • Importance: low
kafka.rest.response.mediatype.default

The default response media type that should be used if no specify types are requested in an Accept header.

  • Type: string
  • Default: application/json
  • Importance: low
kafka.rest.response.mediatype.preferred

An ordered list of the server’s preferred media types used for responses, from most preferred to least.

  • Type: list
  • Default: [application/json, application/vnd.kafka.v2+json]
  • Importance: low
kafka.rest.metrics.jmx.prefix

Prefix to apply to metric names for the default JMX reporter.

  • Type: string
  • Default: kafka.rest
  • Importance: low
kafka.rest.metrics.num.samples

The number of samples maintained to compute metrics.

  • Type: int
  • Default: 2
  • Importance: low
kafka.rest.metrics.sample.window.ms

The metrics system maintains a configurable number of samples over a fixed window size. This configuration controls the size of the window. For example, you might maintain two samples each measured over a 30 second period. When a window expires, you erase and overwrite the oldest window.

  • Type: long
  • Default: 30000
  • Importance: low
kafka.rest.kafka.rest.resource.extension.class

A list of classes to use as RestResourceExtension. Implementing the interface RestResourceExtension allows you to inject user defined resources like filters to the Kafka HTTP APIs. Typically used to add custom capabilities like logging, security, etc.

  • Type: list
  • Default: “”
  • Importance: low
kafka.rest.advertised.listeners

List of advertised listeners. This configuration is used to generate absolute URLs in V3 responses. The HTTP and HTTPS protocols are supported. Each listener must include the protocol, hostname, and port. For example: http://myhost:8080 and https://0.0.0.0:8081.

  • Type: list
  • Default: “”
  • Importance: low
kafka.rest.confluent.resource.name.authority

The authority where the governance of the name space is delegated to. This value is defined by the remainder of the CRN. This is used when generating Confluent resource names. For example, confluent.cloud and mds-01.example.com.

  • Type: string
  • Default: “”
  • Importance: low
kafka.rest.response.http.headers.config

Use to select which HTTP headers are returned in the HTTP response for Confluent Platform components. Specify multiple values in a comma-separated string using the format [action][header name]:[header value] where [action] is one of the following: set, add, setDate, or addDate. You must use quotation marks around the header value when the header value contains commas. For example:

kafka.rest.response.http.headers.config="add Cache-Control: no-cache, no-store, must-revalidate", add X-XSS-Protection: 1; mode=block, add Strict-Transport-Security: max-age=31536000; includeSubDomains, add X-Content-Type-Options: nosniff
  • Type: string
  • Default: “”
  • Importance: low
null.request.body.always.publishes.empty.record

Added in Confluent Platform 8.0. If set to true, the REST Proxy will always publish an empty record when a null request body is received. This is useful for some clients that expect a record to be published even when the request body is null, which was the default behavior in earlier versions of the REST Proxy.

  • Type: boolean
  • Default: false
  • Importance: low

Configuration Options for HTTPS

confluent.http.server.sni.host.check.enabled

In Confluent Platform 8.0 and later, SNI host checking is enabled by default. This property sets whether to enable SNI host checking. If false, SNI host checking will be disabled for all HTTPS connections. Default is true.

  • Type: boolean
  • Default: true
  • Importance: low
confluent.http.server.ssl.keystore.location

Used for HTTPS. The location of the keystore file to use for SSL.

Important

HTTPS requires the server’s FQDN be specified in either the CN or SAN field of the certificate.

  • Type: string
  • Default: “”
  • Importance: high
confluent.http.server.ssl.keystore.password

Used for HTTPS. The keystore store password.

  • Type: password
  • Default: “”
  • Importance: high
confluent.http.server.ssl.key.password

Used for HTTPS. The password of the private key in the keystore file.

  • Type: password
  • Default: “”
  • Importance: high
confluent.http.server.ssl.keystore.type

Used for HTTPS. The keystore format.

  • Type: string
  • Default: JKS
  • Importance: medium
confluent.http.server.ssl.protocol

Used for HTTPS. The TLS protocol used to generate the SSLContext. The default is TLSv1.3 when running with Java 11 or newer, TLSv1.2 otherwise. This value should be fine for most use cases. Allowed values in recent JVMs are TLSv1.2 and TLSv1.3. TLS, TLSv1.1, SSL, SSLv2 and SSLv3 might be supported in older JVMs, but their usage is discouraged due to known security vulnerabilities. With the default value for this configuration and ssl.enabled.protocols, clients downgrade to TLSv1.2 if the server does not support TLSv1.3. If this configuration is set to TLSv1.2, clients do not use TLSv1.3, even if it is one of the values in ssl.enabled.protocols and the server only supports TLSv1.3.

  • Type: string
  • Default: TLSv1.3
  • Importance: medium
confluent.http.server.ssl.provider

Used for HTTPS. The TLS security provider name. Leave blank to use Jetty’s default.

  • Type: string
  • Default: “” (Jetty’s default)
  • Importance: medium
confluent.http.server.ssl.enabled.protocols

Used for HTTPS. A comma-separated list of protocols enabled for TLS connections. Leave blank to use Jetty’s defaults.

  • Type: list
  • Default: “” (Jetty’s default)
  • Importance: medium
confluent.http.server.ssl.keymanager.algorithm

Used for HTTPS. The algorithm used by the key manager factory for TLS connections. Leave blank to use Jetty’s default.

  • Type: string
  • Default: “” (Jetty’s default)
  • Importance: low
confluent.http.server.ssl.trustmanager.algorithm

Used for HTTPS. The algorithm used by the trust manager factory for TLS connections. Leave blank to use Jetty’s default.

  • Type: string
  • Default: “” (Jetty’s default)
  • Importance: low
confluent.http.server.ssl.cipher.suites

Used for HTTPS. A comma-separated list of TLS cipher suites. Leave blank to use Jetty’s defaults.

  • Type: list
  • Default: “” (Jetty’s default)
  • Importance: low
confluent.http.server.ssl.endpoint.identification.algorithm

Used for HTTPS. The endpoint identification algorithm to validate the server hostname using the server certificate. Leave blank to use Jetty’s default.

  • Type: string
  • Default: https
  • Importance: low

Configuration Options for TLS Encryption between Admin REST APIs and Kafka Brokers

If the interbroker listener of the broker that the REST Proxy is running on has security enabled and there is an authorizer.class.name configured, you must manually configure the Java clients in the REST Proxy so that they can securely communicate with Kafka.

You can use both kafka.rest.client. or kafka.rest.admin. for the configurations below.

kafka.rest.client.security.protocol

Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL.

  • Type: string
  • Default: PLAINTEXT
  • Importance: high
kafka.rest.client.ssl.key.password

The password of the private key in the key store file. This is optional for client.

  • Type: password
  • Default: null
  • Importance: high
kafka.rest.client.ssl.keystore.location

The location of the key store file. This is optional for client and can be used for two-way client authentication.

  • Type: string
  • Default: null
  • Importance: high
kafka.rest.client.ssl.keystore.password

The store password for the key store file. This is optional for client and only needed if ssl.keystore.location is configured.

  • Type: password
  • Default: null
  • Importance: high
kafka.rest.client.ssl.truststore.location

The location of the trust store file.

  • Type: string
  • Default: null
  • Importance: high
kafka.rest.client.ssl.truststore.password

The password for the trust store file.

  • Type: string
  • Default: null
  • Importance: high
kafka.rest.client.ssl.enabled.protocols

The comma-separated list of protocols enabled for TLS connections. The default value is TLSv1.2,TLSv1.3 when running with Java 11 or later, TLSv1.2 otherwise. With the default value for Java 11 (TLSv1.2,TLSv1.3), Kafka clients and brokers prefer TLSv1.3 if both support it, and falls back to TLSv1.2 otherwise (assuming both support at least TLSv1.2).

  • Type: list
  • Default: TLSv1.2,TLSv1.3
  • Importance: medium
kafka.rest.client.ssl.keystore.type

The file format of the key store file. This is optional for client.

  • Type: string
  • Default: JKS
  • Importance: medium
kafka.rest.client.ssl.protocol

The TLS protocol used to generate the SSLContext. The default is TLSv1.3 when running with Java 11 or newer, TLSv1.2 otherwise. This value should be fine for most use cases. Allowed values in recent JVMs are TLSv1.2 and TLSv1.3. TLS, TLSv1.1, SSL, SSLv2 and SSLv3 might be supported in older JVMs, but their usage is discouraged due to known security vulnerabilities. With the default value for this configuration and ssl.enabled.protocols, clients downgrade to TLSv1.2 if the server does not support TLSv1.3. If this configuration is set to TLSv1.2, clients do not use TLSv1.3, even if it is one of the values in ssl.enabled.protocols and the server only supports TLSv1.3.

  • Type: string
  • Default: TLSv1.3
  • Importance: medium
kafka.rest.client.ssl.provider

The name of the security provider used for TLS connections. Default value is the default security provider of the JVM.

  • Type: string
  • Default: null
  • Importance: medium
kafka.rest.client.ssl.truststore.type

The file format of the trust store file.

  • Type: string
  • Default: JKS
  • Importance: medium
kafka.rest.client.ssl.cipher.suites

A list of cipher suites. This is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS. By default, all the available cipher suites are supported.

  • Type: list
  • Default: null
  • Importance: low
kafka.rest.client.ssl.endpoint.identification.algorithm

The endpoint identification algorithm to validate server hostname using server certificate.

  • Type: string
  • Default: null
  • Importance: low
kafka.rest.client.ssl.keymanager.algorithm

The algorithm used by key manager factory for TLS connections. Default value is the key manager factory algorithm configured for the Java Virtual Machine.

  • Type: string
  • Default: SunX509
  • Importance: low
kafka.rest.client.ssl.secure.random.implementation

The SecureRandom PRNG implementation to use for TLS cryptography operations.

  • Type: string
  • Default: null
  • Importance: low
kafka.rest.client.ssl.trustmanager.algorithm

The algorithm used by trust manager factory for TLS connections. Default value is the trust manager factory algorithm configured for the Java Virtual Machine.

  • Type: string
  • Default: PKIX
  • Importance: low