Interface MtlsConfig

Mutual-TLS (mTLS) authentication configuration. The keystore (client certificate + private key) and truststore (CAs trusted to verify the broker) live as JKS files on Unity Catalog volumes, with their passwords stored in secret scopes. This matches the SSL setup pattern documented at https://docs.databricks.com/en/connect/streaming/kafka/authentication#use-ssl-to-connect-databricks-to-kafka.

At materialization time, the generated PySpark code passes the JKS file paths and resolved passwords through to the Kafka SSL options (kafka.ssl.keystore.location, kafka.ssl.keystore.password, kafka.ssl.key.password, kafka.ssl.truststore.location, kafka.ssl.truststore.password). Passwords are resolved on the Spark cluster via dbutils.secrets.get; this message stores only references, never password values.

interface MtlsConfig {
    disableHostnameVerification?: boolean;
    keyPasswordRef?: SecretScopeReference;
    keystoreLocation?: string;
    keystorePasswordRef?: SecretScopeReference;
    truststoreLocation?: string;
    truststorePasswordRef?: SecretScopeReference;
}

Index

Properties

disableHostnameVerification? keyPasswordRef? keystoreLocation? keystorePasswordRef? truststoreLocation? truststorePasswordRef?

Properties

`Optional`disableHostnameVerification

disableHostnameVerification?: boolean

Set to true only when the broker certificate's SAN intentionally does not match the connection endpoint — for example when reaching the cluster through a PrivateLink endpoint whose DNS name is not in the broker certificate. Skipping the hostname check removes a defense against man-in-the-middle attacks; do not enable casually. mTLS client authentication is unaffected by this option.

See the Apache Kafka SSL security guide for background on this check: https://kafka.apache.org/42/security/encryption-and-authentication-using-ssl/#host-name-verification

`Optional`keyPasswordRef

keyPasswordRef?: SecretScopeReference

Secret-scope reference for the private key password. Often the same value as the keystore password (keytool's default), but provided as a separate field because Apache Kafka requires it as a distinct option (kafka.ssl.key.password).

`Optional`keystoreLocation

keystoreLocation?: string

Unity Catalog volume path to the JKS keystore file containing the client certificate and private key. e.g. "/Volumes////client.jks". The materialization compute must have read permission on this volume.

`Optional`keystorePasswordRef

keystorePasswordRef?: SecretScopeReference

Secret-scope reference for the JKS keystore password.

`Optional`truststoreLocation

truststoreLocation?: string

Unity Catalog volume path to the JKS truststore file containing the CA certificate(s) trusted to verify the Kafka broker's server certificate. e.g. "/Volumes////truststore.jks".

`Optional`truststorePasswordRef

truststorePasswordRef?: SecretScopeReference

Secret-scope reference for the JKS truststore password.

Interface MtlsConfig

Index

Properties

Properties

`Optional`disableHostnameVerification

`Optional`keyPasswordRef

`Optional`keystoreLocation

`Optional`keystorePasswordRef

`Optional`truststoreLocation

`Optional`truststorePasswordRef

Settings

On This Page

Interface MtlsConfig

Index

Properties

Properties

OptionaldisableHostnameVerification

OptionalkeyPasswordRef

OptionalkeystoreLocation

OptionalkeystorePasswordRef

OptionaltruststoreLocation

OptionaltruststorePasswordRef

Settings

On This Page

`Optional`disableHostnameVerification

`Optional`keyPasswordRef

`Optional`keystoreLocation

`Optional`keystorePasswordRef

`Optional`truststoreLocation

`Optional`truststorePasswordRef