Saxo Bank is on a growth journey and Kafka is a critical component to that success. Securing our financial event streams is a top priority for us and initially we started with an on-prem Kafka cluster secured with (the de-facto) Kerberos. However, as we modernize and scale, the demands of hybrid cloud, multiple domains, polyglot computing and Data Mesh require us to also modernize our approach to security. In this talk, we will describe how we took the default (non-production ready) Kafka OAuth implementation and productionized it to work with Kafka in Azure Cloud, including the Kafka stack and clients. By enabling both Kerberos and OAuth running on-prem and in the cloud, we now plan to gracefully retire Kerberos from our estate.
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
How we eased out security journey with OAuth (Goodbye Kerberos!) | Paul Makkar and Rahul Gulati, Saxo Bank
1. Page 1
How We Eased Our Security Journey With OAuth (Goodbye
Kerberos)
2. Page 2
Paul Makkar – Head of Data in Motion, Saxo Bank
Rahul Gulati – Senior Data Platform Engineer, Saxo Bank
3. Page 3
Saxo Bank is a Global, Multi-Asset Facilitator
We unbundle the value chain
through
our open architecture
We source the best ideas, products,
liquidity and services from the best
providers
Capital markets products,
services and liquidity
Saxo Bank facilitation Distribution to clients
– The SaxoExperience
We run and develop one global, multi-asset, multi-tenanted
tech stack,
and one set of global business processes
We distribute capital market and
asset management products and
services
through our platforms tied together
by
the SaxoExperience
Trading platforms
FIX / Open API
CRM & CMS API
OMS / EMS
Broker connectivity
Hosting services
Clearing and settlement
Client account
structures
Margin & risk
management
Market data
connectivity
Custody
EOD files, FSSO & TENS
Regulatory reporting
Traders
Investors
Wholesale
SaxoTraderPRO
and
SaxoTradersGO
for self-directed
traders
SaxoInvestor for
self-directed and
delegating
investors
Outsourced capital
markets
infrastructure and
client facing front
ends
Processes
Open
/ FIX
API
Tech Stack
Execution and trading
Market data
Custody and back
office
Reporting
Business
management
Client management
Integration
4. Page 4
Saxo and Kafka
Building a Data Mesh
Kafka
self-service
Domain
Team
Domain
Team Domain
Team
Data In Motion
Security is key to our success
Education
7. Page 7
Cluster Components and Security
On-prem Broker Zookeeper
Broker SASL(Kerberos) + TLS SASL(Kerberos)
Kafka Connect SASL(Kerberos) + TLS NA
Schema Registry SASL(Kerberos) + TLS NA
Control Center SASL(Kerberos) + TLS NA
8. Page 8
Challenges with Kerberos
Cross realm authentication is hard!
Authentication from the cloud using On Prem LDAP/AD not possible.
Very difficult to debug.
10. Page 10
OAuth with Kafka
Looked possible, looked promising.
Complete production ready solution not available out of the box
11. Page 11
OAuth with Kafka – Why Not Production Ready?
Default implementation of OAuthbearer deals with Unsecured JWT tokens.
Generates arbitrary tokens. Only suitable for DEV/TEST environments.
No external Authorization server involved for granting tokens and authenticating clients.
13. Page 13
Introductio
n
OAuth is an authorization framework that enables
you or your application to get access to an HTTP
service either on behalf of resource owner or by
allowing your application to obtain access on its
own behalf.
15. Page 15
OAuth Terminology
Grant Types
Client Credentials
An Access Token are the tokens used to access resources.
A Refresh Token represents your next authorization.
Grant Type or Flow specifies how you retrieve those tokens.
22. Page 22
Azure AD App Registration
• Separate Apps for Brokers, Producers, Consumers, Connect, SR etc. across different
environments i.e., Dev, Test & Prod.
• Authentication based on client Id and Client secret of Apps.
24. Page 24
Validating JWT (Brokers)
• Validate Token Length. Valid token to have 3 parts i.e. Header, Payload, Signature.
• Validate Token Signature:
• Decode Token header.
• Get token signing key.
• Verify if token is signed by Azure AD keys.
Decoded
Header
33. Page 33
Easy to authenticate Producers/Consumers Apps' running anywhere i.e. On Prem/Cloud.
Cross domain authentication became possible (in fact, not even relevant).
Much easier to onboard new clients and authenticate AD Apps.
Debugging authentication issues became easier.
Have started the journey to deprecate Kerberos.
How Has The Journey Been So Far?