Kafka Security
Apache Kafka™ 2.4.0
@jaceklaskowski
/
StackOverflow
/
GitHub
/
LinkedIn
The "Internals" Books:
Apache Kafka
•
Kafka Streams
## Agenda <small>(1 of 2)</small> 1. [Secure Communication Using SSL](#/secure-communication-using-ssl) * [Keys and Certificates](#/keys-and-certificates) * [Key and Trust Stores](#/key-and-trust-stores) * [security.protocol Client Property](#/security-protocol-client-property) * [Demo: Secure Communication Using SSL](#/demo-secure-communication-using-ssl) 1. [Secure Inter-Broker Communication](#/secure-inter-broker-communication) * [security.inter.broker.protocol Broker Property](#/security-inter-broker-protocol-broker-property) * [listeners Broker Property](#/listeners-broker-property) * [Demo: Secure Inter-Broker Communication](#/demo-secure-inter-broker-communication)
## Agenda <small>(2 of 2)</small> 1. [SSL Authentication](#/ssl-authentication) * [ssl.client.auth Broker Property](#/ssl-client-auth-broker-property) * [Demo: SSL Authentication](#/demo-ssl-authentication) 1. [ACL Authorization](#/acl-authorization) * [authorizer.class.name Broker Property](#/authorizer-class-name-broker-property) * [Other Broker Properties](#/other-broker-properties) * [kafka-acls Utility](#/kafka-acls-utility) * [Demo: ACL Authorization](#/demo-acl-authorization)
## Secure Communication Using SSL * **Secure Sockets Layer (SSL)** - a cryptographic protocol for communications security over a computer network * Used for **secure communication** (data encryption) and **authentication** * Deprecated by **Transport Layer Security (TLS)** * Often referred to as **SSL/TLS** * [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) in Wikipedia
## Keys and Certificates * **Private And Public Keys** * Identity of an entity (such as a computer or a website) * **Public Key Certificate** (Digital Identity Certificate) * Identity of the owner (the subject) * Digital signature of an entity that has verified the certificate's contents (the issuer) * The certificate issuer is a **Certificate Authority (CA)** * **Certificate Signing Request (CSR)** * Request to Certificate Authority to sign a certificate
## Key and Trust Stores * **Key Store** (or Keystore) is a database of keys and certificates * By default the Java keystore is implemented as a file * Contains the private key and any certificates to complete a chain of trust of the primary certificate * Initially only with the private key * Eventually the certificate and any root certificates after a CSR (Certificate Signing Request) * **Trust Store** is a file with trusted certificates (public keys) * Each certificate is associated with a unique alias * Java **keytool** to manage keys and certificates
## security.protocol Client Property * Consult [The Internals Of Apache Kafka](https://jaceklaskowski.gitbooks.io/apache-kafka/kafka-clients-CommonClientConfigs.html#security.protocol)
## Demo 👉 [Securing Communication Between Clients and Brokers Using SSL](https://jaceklaskowski.gitbooks.io/apache-kafka/kafka-demo-securing-communication-between-clients-and-brokers.html)
## Secure Inter-Broker Communication * ...
## security.inter.broker.protocol Broker Property * Consult [The Internals Of Apache Kafka](https://jaceklaskowski.gitbooks.io/apache-kafka/kafka-properties.html#security.inter.broker.protocol)
## listeners Broker Property * Consult [The Internals Of Apache Kafka](https://jaceklaskowski.gitbooks.io/apache-kafka/kafka-properties.html#listeners)
## Demo 👉 [Secure Inter-Broker Communication](https://jaceklaskowski.gitbooks.io/apache-kafka/kafka-demo-secure-inter-broker-communication.html)
## SSL Authentication * In SSL authentication, Kafka brokers authenticate clients (using "2-way authentication") * Requires SSL encryption <small>discussed earlier</small> * Client Truststore Only * Broker and clients use keystores (for identity) and truststores with the Certificate Authority (CA)
## ssl.client.auth Broker Property * Consult [The Internals Of Apache Kafka](https://jaceklaskowski.gitbooks.io/apache-kafka/kafka-properties.html#ssl.client.auth)
## Demo 👉 [SSL Authentication](https://jaceklaskowski.gitbooks.io/apache-kafka/kafka-demo-ssl-authentication.html)
## ACL Authorization * FIXME
## authorizer.class.name Broker Property * Consult [The Internals Of Apache Kafka](https://jaceklaskowski.gitbooks.io/apache-kafka/kafka-properties.html#authorizer.class.name)
## Other Broker Properties * allow.everyone.if.no.acl.found * super.users
## kafka-acls Utility * FIXME
## Demo 👉 [ACL Authorization](https://jaceklaskowski.gitbooks.io/apache-kafka/kafka-demo-acl-authorization.html)
## Recap <small>(1 of 2)</small> 1. [Secure Communication Using SSL](#/secure-communication-using-ssl) * [Keys and Certificates](#/keys-and-certificates) * [Key and Trust Stores](#/key-and-trust-stores) * [security.protocol Client Property](#/security-protocol-client-property) * [Demo: Secure Communication Using SSL](#/demo-secure-communication-using-ssl) 1. [Secure Inter-Broker Communication](#/secure-inter-broker-communication) * [security.inter.broker.protocol Broker Property](#/security-inter-broker-protocol-broker-property) * [listeners Broker Property](#/listeners-broker-property) * [Demo: Secure Inter-Broker Communication](#/demo-secure-inter-broker-communication)
## Recap <small>(2 of 2)</small> 1. [SSL Authentication](#/ssl-authentication) * [ssl.client.auth Broker Property](#/ssl-client-auth-broker-property) * [Demo: SSL Authentication](#/demo-ssl-authentication) 1. [ACL Authorization](#/acl-authorization) * [authorizer.class.name Broker Property](#/authorizer-class-name-broker-property) * [Other Broker Properties](#/other-broker-properties) * [kafka-acls Utility](#/kafka-acls-utility) * [Demo: ACL Authorization](#/demo-acl-authorization)
# Questions? * Read [The Internals of Apache Kafka](https://bit.ly/apache-kafka-internals) * Read [The Internals of Kafka Streams](https://bit.ly/kafka-streams-internals) * Follow [@jaceklaskowski](https://twitter.com/jaceklaskowski) on twitter (DMs open) * Upvote [my questions and answers on StackOverflow](http://stackoverflow.com/users/1305344/jacek-laskowski) * Contact me at **jacek@japila.pl**
