Kafka Security
Apache Kafka™ 2.4.0
Secure Communication Using SSL
- Secure Sockets Layer (SSL) - a cryptographic protocol for communications security over a computer network
- Used for secure communication (data encryption) and authentication
- Deprecated by Transport Layer Security (TLS)
- Often referred to as SSL/TLS
- Transport Layer Security in Wikipedia
Keys and Certificates
- Private And Public Keys
- Identity of an entity (such as a computer or a website)
- Public Key Certificate (Digital Identity Certificate)
- Identity of the owner (the subject)
- Digital signature of an entity that has verified the certificate's contents (the issuer)
- The certificate issuer is a Certificate Authority (CA)
- Certificate Signing Request (CSR)
- Request to Certificate Authority to sign a certificate
Key and Trust Stores
- Key Store (or Keystore) is a database of keys and certificates
- By default the Java keystore is implemented as a file
- Contains the private key and any certificates to complete a chain of trust of the primary certificate
- Initially only with the private key
- Eventually the certificate and any root certificates after a CSR (Certificate Signing Request)
- Trust Store is a file with trusted certificates (public keys)
- Each certificate is associated with a unique alias
- Java keytool to manage keys and certificates
security.protocol Client Property
Secure Inter-Broker Communication
security.inter.broker.protocol Broker Property
listeners Broker Property
SSL Authentication
- In SSL authentication, Kafka brokers authenticate clients (using "2-way authentication")
- Requires SSL encryption discussed earlier
- Broker and clients use keystores (for identity) and truststores with the Certificate Authority (CA)
ssl.client.auth Broker Property
authorizer.class.name Broker Property
Other Broker Properties
- allow.everyone.if.no.acl.found
- super.users
Kafka Security
Apache Kafka™ 2.4.0
@jaceklaskowski / StackOverflow / GitHub / LinkedIn
The "Internals" Books: Apache Kafka • Kafka Streams