SlideShare a Scribd company logo

Apache Kafka® Security Overview

confluent
confluent

Apache Kafka® Security Overview, Sven Erik Knop, Senior Solutions Architect, Confluent https://www.meetup.com/Dublin-Apache-Kafka-Meetup-by-Confluent/events/273462098/

1 of 34
Apache Kafka Security Overview Sven Erik Knop, Senior Solutions Architect
Who am I? • Sven Erik Knop • Senior Solutions Architect • Architect, Developer, Presenter • @sven_erik_knop 2
Agenda 3 Why security? Implementation Encryption Authentication Authorization RBAC Why RBAC? Implementation Impact
Reminder: What is Apache Kafka? • Distributed, fault-tolerant and immutable log • Use cases • Publish-subscribe queue • ETL (Extract, Transform, Load) • Event streaming platform • Rich infrastructure through connectors and language APIs • Open Source, with enterprise support and enhancements through companies like Confluent 4
5 Apache Kafka before security (<0.9) ¡ Kafka is infrastructure hidden behind the firewall ¡ Servers within the network are implicitly trusted ¡ No governance required (or possible)
New challenges Multi-tenancy Topics with sensitive or confidential data Regulatory requirements
Security Features added in Kafka 0.9 Encryption Authentication Authorization Connection to ZooKeeper
Encryption 8 Encryption in flight TLS = Transport Layer Encryption Encryption at rest OS or file system feature End-to-End encryption Needs to be built into the producers and consumers
Encryption via TLS (Transport Layer Security) Prevents eavesdropping Prevents man- in-the-middle attacks Industry- standard encryption Broker certificate signed by either • External, well-known Certificate Authority (CA) – GlobalSign, Let’s Encrypt … • Internal CA, with clients using a truststore to verify its identity security.protocol=SSL (instead of the default PLAINTEXT) ssl.endpoint.identification.algorithm=https
TLS Mutual Authentication If enabled, provides trust into client connections Principal is used for authorization Certificates signed by trusted authority (CA) Clients additionally use a keystore to provide their own identity
SASL (Simple Authentication and Security Layer) 11 Framework for authentication and data security Decouples authentication mechanisms from the application protocols Common interface for different implementations
SASL Implementations 12 Implementation Class Comments PLAIN org.apache.kafka.common.security.plain.PlainLoginModule Username/Password SCRAM org.apache.kafka.common.security.scram.ScramLoginModule SCRAM_SHA_(256|512) GSSAPI com.sun.security.auth.module.Krb5LoginModule Kerberos OAUTHBEARER org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule Token based used for RBAC security.protocol = SASL_PLAINTEXT | SASL_SSL sasl.mechanism = PLAIN | SCRAM_SHA_256 | SCRAM_SHA_512 | GSSAPI | OAUTHBEARER Configured in the brokers and the clients through a JAAS file
JAAS 13 • Java Authentication and Authorization Service • For services (Kafka, ZooKeeper) grouped by section names • KafkaServer • KafkaClient • Server (for ZooKeeper Server) • Client (for ZooKeeper Client, e.g. Kafka) • Alternatively, specify as a property KafkaServer { org.apache.kafka.common.security.scram.ScramLoginModule required username="kafka" password="kafka"; }; Client { org.apache.zookeeper.server.auth.DigestLoginModule required username="admin" password=”admin-secret"; }; sasl.mechanism=SCRAM-SHA-256 security.protocol=SASL_PLAINTEXT sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="producer" password="producer-secret";
sasl.mechanism=PLAIN • Username/Password • Broker • By default, holds a list of username/password in the SASL config file • Requires rolling restart when users are added or deleted • Can be overwritten, for example • listener.name.sasl_plaintext.plain.sasl.server.callback.handler.class= io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler • Client sasl.mechanism=PLAIN security.protocol=SASL_PLAINTEXT sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="alice" password="alice-secret" ;
SCRAM • Salted Challenge Response Authentication Mechanism • Users and passwords are stored in ZooKeeper • Dynamic configuration through kafka-configs • Different encryption levels (SHA-256, SHA-512) • CAVEAT: Need to add any super user as an entity as well kafka-configs --zookeeper zookeeper:2182 --alter --add-config 'SCRAM-SHA-256=[password=xxxxx],SCRAM-SHA-512=[password=xxxxx]' --entity-type users --entity-name producer sasl.mechanism=SCRAM-SHA-256 security.protocol=SASL_PLAINTEXT sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="producer" password=”xxxxx";
Kerberos • Network authentication protocol created by the MIT • sasl.enabled.mechanisms=GSSAPI • Generic Security Service Application Program Interface • External Key Distribution Center (KDC) • Service (Broker, ZooKeeper …) registers itself • sasl.kerberos.service.name must match principal • Default service names are ‘kafka’, ‘zookeeper’
Kerberos client • Either: create a ticket with kinit (login) • Or: provide the keytab location and the principal name • List existing tickets with klist sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_client.keytab" principal="kafkaclient1@EXAMPLE.COM";
Authorization via ACLS (Access Control Lists) Permission to access or modify resources like Topics Clusters Consumer Groups All, Literal and Prefix Allow and deny access Stored in ZooKeeper
ACL for users 19 •kafka-acls •Can check in ZooKeeper directly ACLs are stored in ZooKeeper •Topic, Cluster, Group, TransactionId, DelegationToken •(Principal, PermissionType, Operation, Host) ACLs defined for •Confluent extension to use Group:<group-name> set in LDAP Principal for users is User:<user-name> Can use resource name ‘*’ for catch all •--resource-pattern-type prefixed (default is literal) To specify a subset of resources with the same prefix, use
Securing ZooKeeper • Authentication • SASL • Digest • Kerberos • Authorization • Securing your nodes through Kafka • zookeeper.set.acl=true • Migrating from a non-secured node • zookeeper-security-migration
Kafka Infrastructure Schema Registry Connect Control Center KSQL REST Proxy REST Clients
Challenge • Clients directly connected to the brokers use SASL or mutual auth for authentication • Tools like KSQL or Connect are connected using a single user with that user’s permissions • ASK: Users of these tools need their own authentication and propagate their credentials Schema RegistryREST Client SR UserREST User REST User
The Need for A Unified Approach • Requirements • Services connect to Kafka using TLS Mutual Auth or SASL • External access via REST needs to impersonate an internal user • Want • Single service to assign roles • Changes need to be traceable (ZooKeeper does not keep a log)
RBAC – Role Based Access Control (Pre-defined) roles can be assigned to users or groups for a resource Stored in a Kafka topic accessed via a new Kafka interface, the MDS (Meta Data Service) Requires Confluent Server instead of Apache Kafka User authentication backed by LDAP Authorized users are given an OATHBEARER Token to identify themselves
Roles 25 Administration roles (SystemAdmin, ClusterAdmin, UserAdmin, …) Operators ResourceOwners Developers
Roles Assignment to User/Group CLI API CONTROL CENTER Group membership management via LDAP
Confluent Control Center 27
Schema Registry, Connect, KSQL, REST Proxy • Standard REST username/password security (from LDAP) • MDS Server provides OAUTHBEARER token • Credentials are propagated
RBAC Key Benefits 29 Key Benefits Over Traditional ZK ACLs: • Efficiency with Scale • Confluent Platform-wide security • Authorization at scale - with predefined Roles and LDAP Groups as Principals • Manage multiple clusters from 1 central location • Increased Granular Policies • Connector level access control. • Granular access for Control Center users • On top of the Topic and SR Subjects • Improved Multi-Tenancy support • Items without access do not show • Delegation of Administration Responsibilities
Requirements • Confluent Server >= CP 5.4 • LDAP (Usually Microsoft Active Directory) for • User authentication (usually Username/Password SIMPLE BIND) • Group membership for authorization • All services configured with • sasl.enabled.mechanism=OAUTHBEARER • sasl.login.callback.handler.class= io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler • metadata.bootstrap.server.urls=http://mds-server:8090 • Do not configure standard producers/consumer/streams with OAUTHBEARER • Unsupported • Would require access to MDS server 30
Summary • Security is an important feature of a streaming platform • Encryption and ACLs provide security for clients directly accessing the Kafka brokers • RBAC adds a unified authentication and authorization interface for services around Kafka
Further reading • https://docs.confluent.io/current/security/security_tutorial.html • https://docs.confluent.io/current/security/rbac/index.html 32
Any questions? 33
Apache Kafka® Security Overview

Recommended

Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka Security
DataWorks Summit
 
Kafka Streams: What it is, and how to use it?
Kafka Streams: What it is, and how to use it?Kafka Streams: What it is, and how to use it?
Kafka Streams: What it is, and how to use it?
confluent
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
confluent
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka Security
Jean-Paul Azar
 
Getting Started with Confluent Schema Registry
Getting Started with Confluent Schema RegistryGetting Started with Confluent Schema Registry
Getting Started with Confluent Schema Registry
confluent
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
DataWorks Summit/Hadoop Summit
 
Introduction to Kafka connect
Introduction to Kafka connectIntroduction to Kafka connect
Introduction to Kafka connect
Knoldus Inc.
 
Apache Kafka® and API Management
Apache Kafka® and API ManagementApache Kafka® and API Management
Apache Kafka® and API Management
confluent
 

Recommended

Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka Security
DataWorks Summit
 
Kafka Streams: What it is, and how to use it?
Kafka Streams: What it is, and how to use it?Kafka Streams: What it is, and how to use it?
Kafka Streams: What it is, and how to use it?
confluent
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
confluent
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka Security
Jean-Paul Azar
 
Getting Started with Confluent Schema Registry
Getting Started with Confluent Schema RegistryGetting Started with Confluent Schema Registry
Getting Started with Confluent Schema Registry
confluent
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
DataWorks Summit/Hadoop Summit
 
Introduction to Kafka connect
Introduction to Kafka connectIntroduction to Kafka connect
Introduction to Kafka connect
Knoldus Inc.
 
Apache Kafka® and API Management
Apache Kafka® and API ManagementApache Kafka® and API Management
Apache Kafka® and API Management
confluent
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka Streams
Guozhang Wang
 
ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!
Guido Schmutz
 
Kafka 101 and Developer Best Practices
Kafka 101 and Developer Best PracticesKafka 101 and Developer Best Practices
Kafka 101 and Developer Best Practices
confluent
 
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Jean-Paul Azar
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache Kafka
Jeff Holoman
 
Introducing Kafka's Streams API
Introducing Kafka's Streams APIIntroducing Kafka's Streams API
Introducing Kafka's Streams API
confluent
 
Apache Kafka Architecture & Fundamentals Explained
Apache Kafka Architecture & Fundamentals ExplainedApache Kafka Architecture & Fundamentals Explained
Apache Kafka Architecture & Fundamentals Explained
confluent
 
Stream processing using Kafka
Stream processing using KafkaStream processing using Kafka
Stream processing using Kafka
Knoldus Inc.
 
Apache Kafka
Apache KafkaApache Kafka
Apache Kafka
Diego Pacheco
 
ksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database SystemksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database System
confluent
 
Monitoring and Resiliency Testing our Apache Kafka Clusters at Goldman Sachs ...
Monitoring and Resiliency Testing our Apache Kafka Clusters at Goldman Sachs ...Monitoring and Resiliency Testing our Apache Kafka Clusters at Goldman Sachs ...
Monitoring and Resiliency Testing our Apache Kafka Clusters at Goldman Sachs ...
HostedbyConfluent
 
Introduction to KSQL: Streaming SQL for Apache Kafka®
Introduction to KSQL: Streaming SQL for Apache Kafka®Introduction to KSQL: Streaming SQL for Apache Kafka®
Introduction to KSQL: Streaming SQL for Apache Kafka®
confluent
 
Envoy and Kafka
Envoy and KafkaEnvoy and Kafka
Envoy and Kafka
Adam Kotwasinski
 
Real-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Real-Life Use Cases & Architectures for Event Streaming with Apache KafkaReal-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Real-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Kai Wähner
 
Consumer offset management in Kafka
Consumer offset management in KafkaConsumer offset management in Kafka
Consumer offset management in Kafka
Joel Koshy
 
Apache kafka
Apache kafkaApache kafka
Apache kafka
Kumar Shivam
 
kafka
kafkakafka
kafka
Amikam Snir
 
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Kai Wähner
 
Kafka presentation
Kafka presentationKafka presentation
Kafka presentation
Mohammed Fazuluddin
 
Producer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaProducer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache Kafka
Jiangjie Qin
 
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
HostedbyConfluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right Way
Saylor Twift
 

More Related Content

What's hot

Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka Streams
Guozhang Wang
 
ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!
Guido Schmutz
 
Kafka 101 and Developer Best Practices
Kafka 101 and Developer Best PracticesKafka 101 and Developer Best Practices
Kafka 101 and Developer Best Practices
confluent
 
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Jean-Paul Azar
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache Kafka
Jeff Holoman
 
Introducing Kafka's Streams API
Introducing Kafka's Streams APIIntroducing Kafka's Streams API
Introducing Kafka's Streams API
confluent
 
Apache Kafka Architecture & Fundamentals Explained
Apache Kafka Architecture & Fundamentals ExplainedApache Kafka Architecture & Fundamentals Explained
Apache Kafka Architecture & Fundamentals Explained
confluent
 
Stream processing using Kafka
Stream processing using KafkaStream processing using Kafka
Stream processing using Kafka
Knoldus Inc.
 
Apache Kafka
Apache KafkaApache Kafka
Apache Kafka
Diego Pacheco
 
ksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database SystemksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database System
confluent
 
Monitoring and Resiliency Testing our Apache Kafka Clusters at Goldman Sachs ...
Monitoring and Resiliency Testing our Apache Kafka Clusters at Goldman Sachs ...Monitoring and Resiliency Testing our Apache Kafka Clusters at Goldman Sachs ...
Monitoring and Resiliency Testing our Apache Kafka Clusters at Goldman Sachs ...
HostedbyConfluent
 
Introduction to KSQL: Streaming SQL for Apache Kafka®
Introduction to KSQL: Streaming SQL for Apache Kafka®Introduction to KSQL: Streaming SQL for Apache Kafka®
Introduction to KSQL: Streaming SQL for Apache Kafka®
confluent
 
Envoy and Kafka
Envoy and KafkaEnvoy and Kafka
Envoy and Kafka
Adam Kotwasinski
 
Real-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Real-Life Use Cases & Architectures for Event Streaming with Apache KafkaReal-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Real-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Kai Wähner
 
Consumer offset management in Kafka
Consumer offset management in KafkaConsumer offset management in Kafka
Consumer offset management in Kafka
Joel Koshy
 
Apache kafka
Apache kafkaApache kafka
Apache kafka
Kumar Shivam
 
kafka
kafkakafka
kafka
Amikam Snir
 
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Kai Wähner
 
Kafka presentation
Kafka presentationKafka presentation
Kafka presentation
Mohammed Fazuluddin
 
Producer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaProducer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache Kafka
Jiangjie Qin
 

What's hot (20)

Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka Streams
 
ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!
 
Kafka 101 and Developer Best Practices
Kafka 101 and Developer Best PracticesKafka 101 and Developer Best Practices
Kafka 101 and Developer Best Practices
 
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache Kafka
 
Introducing Kafka's Streams API
Introducing Kafka's Streams APIIntroducing Kafka's Streams API
Introducing Kafka's Streams API
 
Apache Kafka Architecture & Fundamentals Explained
Apache Kafka Architecture & Fundamentals ExplainedApache Kafka Architecture & Fundamentals Explained
Apache Kafka Architecture & Fundamentals Explained
 
Stream processing using Kafka
Stream processing using KafkaStream processing using Kafka
Stream processing using Kafka
 
Apache Kafka
Apache KafkaApache Kafka
Apache Kafka
 
ksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database SystemksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database System
 
Monitoring and Resiliency Testing our Apache Kafka Clusters at Goldman Sachs ...
Monitoring and Resiliency Testing our Apache Kafka Clusters at Goldman Sachs ...Monitoring and Resiliency Testing our Apache Kafka Clusters at Goldman Sachs ...
Monitoring and Resiliency Testing our Apache Kafka Clusters at Goldman Sachs ...
 
Introduction to KSQL: Streaming SQL for Apache Kafka®
Introduction to KSQL: Streaming SQL for Apache Kafka®Introduction to KSQL: Streaming SQL for Apache Kafka®
Introduction to KSQL: Streaming SQL for Apache Kafka®
 
Envoy and Kafka
Envoy and KafkaEnvoy and Kafka
Envoy and Kafka
 
Real-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Real-Life Use Cases & Architectures for Event Streaming with Apache KafkaReal-Life Use Cases & Architectures for Event Streaming with Apache Kafka
Real-Life Use Cases & Architectures for Event Streaming with Apache Kafka
 
Consumer offset management in Kafka
Consumer offset management in KafkaConsumer offset management in Kafka
Consumer offset management in Kafka
 
Apache kafka
Apache kafkaApache kafka
Apache kafka
 
kafka
kafkakafka
kafka
 
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
Architecture patterns for distributed, hybrid, edge and global Apache Kafka d...
 
Kafka presentation
Kafka presentationKafka presentation
Kafka presentation
 
Producer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaProducer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache Kafka
 

Similar to Apache Kafka® Security Overview

Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
HostedbyConfluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right Way
Saylor Twift
 
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
confluent
 
New Security Features in Apache HBase 0.98: An Operator's Guide
New Security Features in Apache HBase 0.98: An Operator's GuideNew Security Features in Apache HBase 0.98: An Operator's Guide
New Security Features in Apache HBase 0.98: An Operator's Guide
HBaseCon
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safe
confluent
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
confluent
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
DataWorks Summit/Hadoop Summit
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Lucidworks
 
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and VormetricProtecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
confluent
 
Deploying and Operating KSQL
Deploying and Operating KSQLDeploying and Operating KSQL
Deploying and Operating KSQL
confluent
 
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
confluent
 
Kafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQL
Kafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQLKafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQL
Kafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQL
confluent
 
Vault
VaultVault
Vault
dawnlua
 
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)
Kai Wähner
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
Jose Manuel Ortega Candel
 
AKS Scurity - Cluster & Kubelet Access to services
AKS Scurity - Cluster & Kubelet Access to servicesAKS Scurity - Cluster & Kubelet Access to services
AKS Scurity - Cluster & Kubelet Access to services
Parisa Moosavinezhad
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2
Elana Krasner
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Opcito Technologies
 

Similar to Apache Kafka® Security Overview (20)

Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right Way
 
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
 
New Security Features in Apache HBase 0.98: An Operator's Guide
New Security Features in Apache HBase 0.98: An Operator's GuideNew Security Features in Apache HBase 0.98: An Operator's Guide
New Security Features in Apache HBase 0.98: An Operator's Guide
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safe
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
 
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and VormetricProtecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
 
Deploying and Operating KSQL
Deploying and Operating KSQLDeploying and Operating KSQL
Deploying and Operating KSQL
 
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
 
Kafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQL
Kafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQLKafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQL
Kafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQL
 
Vault
VaultVault
Vault
 
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
AKS Scurity - Cluster & Kubelet Access to services
AKS Scurity - Cluster & Kubelet Access to servicesAKS Scurity - Cluster & Kubelet Access to services
AKS Scurity - Cluster & Kubelet Access to services
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
 

More from confluent

Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
confluent
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
confluent
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
confluent
 
Santander Stream Processing with Apache Flink
Santander Stream Processing with Apache FlinkSantander Stream Processing with Apache Flink
Santander Stream Processing with Apache Flink
confluent
 
Unlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsUnlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insights
confluent
 
Workshop híbrido: Stream Processing con Flink
Workshop híbrido: Stream Processing con FlinkWorkshop híbrido: Stream Processing con Flink
Workshop híbrido: Stream Processing con Flink
confluent
 
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
confluent
 
AWS Immersion Day Mapfre - Confluent
AWS Immersion Day Mapfre - ConfluentAWS Immersion Day Mapfre - Confluent
AWS Immersion Day Mapfre - Confluent
confluent
 
Eventos y Microservicios - Santander TechTalk
Eventos y Microservicios - Santander TechTalkEventos y Microservicios - Santander TechTalk
Eventos y Microservicios - Santander TechTalk
confluent
 
Q&A with Confluent Experts: Navigating Networking in Confluent Cloud
Q&A with Confluent Experts: Navigating Networking in Confluent CloudQ&A with Confluent Experts: Navigating Networking in Confluent Cloud
Q&A with Confluent Experts: Navigating Networking in Confluent Cloud
confluent
 
Citi TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Dive
confluent
 
Build real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with ConfluentBuild real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with Confluent
confluent
 
Q&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service MeshQ&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service Mesh
confluent
 
Citi Tech Talk: Event Driven Kafka Microservices
Citi Tech Talk: Event Driven Kafka MicroservicesCiti Tech Talk: Event Driven Kafka Microservices
Citi Tech Talk: Event Driven Kafka Microservices
confluent
 
Confluent & GSI Webinars series - Session 3
Confluent & GSI Webinars series - Session 3Confluent & GSI Webinars series - Session 3
Confluent & GSI Webinars series - Session 3
confluent
 
Citi Tech Talk: Messaging Modernization
Citi Tech Talk: Messaging ModernizationCiti Tech Talk: Messaging Modernization
Citi Tech Talk: Messaging Modernization
confluent
 
Citi Tech Talk: Data Governance for streaming and real time data
Citi Tech Talk: Data Governance for streaming and real time dataCiti Tech Talk: Data Governance for streaming and real time data
Citi Tech Talk: Data Governance for streaming and real time data
confluent
 
Confluent & GSI Webinars series: Session 2
Confluent & GSI Webinars series: Session 2Confluent & GSI Webinars series: Session 2
Confluent & GSI Webinars series: Session 2
confluent
 
Data In Motion Paris 2023
Data In Motion Paris 2023Data In Motion Paris 2023
Data In Motion Paris 2023
confluent
 
Confluent Partner Tech Talk with Synthesis
Confluent Partner Tech Talk with SynthesisConfluent Partner Tech Talk with Synthesis
Confluent Partner Tech Talk with Synthesis
confluent
 

More from confluent (20)

Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Santander Stream Processing with Apache Flink
Santander Stream Processing with Apache FlinkSantander Stream Processing with Apache Flink
Santander Stream Processing with Apache Flink
 
Unlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsUnlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insights
 
Workshop híbrido: Stream Processing con Flink
Workshop híbrido: Stream Processing con FlinkWorkshop híbrido: Stream Processing con Flink
Workshop híbrido: Stream Processing con Flink
 
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
 
AWS Immersion Day Mapfre - Confluent
AWS Immersion Day Mapfre - ConfluentAWS Immersion Day Mapfre - Confluent
AWS Immersion Day Mapfre - Confluent
 
Eventos y Microservicios - Santander TechTalk
Eventos y Microservicios - Santander TechTalkEventos y Microservicios - Santander TechTalk
Eventos y Microservicios - Santander TechTalk
 
Q&A with Confluent Experts: Navigating Networking in Confluent Cloud
Q&A with Confluent Experts: Navigating Networking in Confluent CloudQ&A with Confluent Experts: Navigating Networking in Confluent Cloud
Q&A with Confluent Experts: Navigating Networking in Confluent Cloud
 
Citi TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Dive
 
Build real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with ConfluentBuild real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with Confluent
 
Q&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service MeshQ&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service Mesh
 
Citi Tech Talk: Event Driven Kafka Microservices
Citi Tech Talk: Event Driven Kafka MicroservicesCiti Tech Talk: Event Driven Kafka Microservices
Citi Tech Talk: Event Driven Kafka Microservices
 
Confluent & GSI Webinars series - Session 3
Confluent & GSI Webinars series - Session 3Confluent & GSI Webinars series - Session 3
Confluent & GSI Webinars series - Session 3
 
Citi Tech Talk: Messaging Modernization
Citi Tech Talk: Messaging ModernizationCiti Tech Talk: Messaging Modernization
Citi Tech Talk: Messaging Modernization
 
Citi Tech Talk: Data Governance for streaming and real time data
Citi Tech Talk: Data Governance for streaming and real time dataCiti Tech Talk: Data Governance for streaming and real time data
Citi Tech Talk: Data Governance for streaming and real time data
 
Confluent & GSI Webinars series: Session 2
Confluent & GSI Webinars series: Session 2Confluent & GSI Webinars series: Session 2
Confluent & GSI Webinars series: Session 2
 
Data In Motion Paris 2023
Data In Motion Paris 2023Data In Motion Paris 2023
Data In Motion Paris 2023
 
Confluent Partner Tech Talk with Synthesis
Confluent Partner Tech Talk with SynthesisConfluent Partner Tech Talk with Synthesis
Confluent Partner Tech Talk with Synthesis
 

Recently uploaded

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 

Recently uploaded (20)

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 

Apache Kafka® Security Overview

  • 1. Apache Kafka Security Overview Sven Erik Knop, Senior Solutions Architect
  • 2. Who am I? • Sven Erik Knop • Senior Solutions Architect • Architect, Developer, Presenter • @sven_erik_knop 2
  • 4. Reminder: What is Apache Kafka? • Distributed, fault-tolerant and immutable log • Use cases • Publish-subscribe queue • ETL (Extract, Transform, Load) • Event streaming platform • Rich infrastructure through connectors and language APIs • Open Source, with enterprise support and enhancements through companies like Confluent 4
  • 5. 5 Apache Kafka before security (<0.9) ¡ Kafka is infrastructure hidden behind the firewall ¡ Servers within the network are implicitly trusted ¡ No governance required (or possible)
  • 6. New challenges Multi-tenancy Topics with sensitive or confidential data Regulatory requirements
  • 7. Security Features added in Kafka 0.9 Encryption Authentication Authorization Connection to ZooKeeper
  • 8. Encryption 8 Encryption in flight TLS = Transport Layer Encryption Encryption at rest OS or file system feature End-to-End encryption Needs to be built into the producers and consumers
  • 9. Encryption via TLS (Transport Layer Security) Prevents eavesdropping Prevents man- in-the-middle attacks Industry- standard encryption Broker certificate signed by either • External, well-known Certificate Authority (CA) – GlobalSign, Let’s Encrypt … • Internal CA, with clients using a truststore to verify its identity security.protocol=SSL (instead of the default PLAINTEXT) ssl.endpoint.identification.algorithm=https
  • 10. TLS Mutual Authentication If enabled, provides trust into client connections Principal is used for authorization Certificates signed by trusted authority (CA) Clients additionally use a keystore to provide their own identity
  • 11. SASL (Simple Authentication and Security Layer) 11 Framework for authentication and data security Decouples authentication mechanisms from the application protocols Common interface for different implementations
  • 12. SASL Implementations 12 Implementation Class Comments PLAIN org.apache.kafka.common.security.plain.PlainLoginModule Username/Password SCRAM org.apache.kafka.common.security.scram.ScramLoginModule SCRAM_SHA_(256|512) GSSAPI com.sun.security.auth.module.Krb5LoginModule Kerberos OAUTHBEARER org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule Token based used for RBAC security.protocol = SASL_PLAINTEXT | SASL_SSL sasl.mechanism = PLAIN | SCRAM_SHA_256 | SCRAM_SHA_512 | GSSAPI | OAUTHBEARER Configured in the brokers and the clients through a JAAS file
  • 13. JAAS 13 • Java Authentication and Authorization Service • For services (Kafka, ZooKeeper) grouped by section names • KafkaServer • KafkaClient • Server (for ZooKeeper Server) • Client (for ZooKeeper Client, e.g. Kafka) • Alternatively, specify as a property KafkaServer { org.apache.kafka.common.security.scram.ScramLoginModule required username="kafka" password="kafka"; }; Client { org.apache.zookeeper.server.auth.DigestLoginModule required username="admin" password=”admin-secret"; }; sasl.mechanism=SCRAM-SHA-256 security.protocol=SASL_PLAINTEXT sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="producer" password="producer-secret";
  • 14. sasl.mechanism=PLAIN • Username/Password • Broker • By default, holds a list of username/password in the SASL config file • Requires rolling restart when users are added or deleted • Can be overwritten, for example • listener.name.sasl_plaintext.plain.sasl.server.callback.handler.class= io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler • Client sasl.mechanism=PLAIN security.protocol=SASL_PLAINTEXT sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="alice" password="alice-secret" ;
  • 15. SCRAM • Salted Challenge Response Authentication Mechanism • Users and passwords are stored in ZooKeeper • Dynamic configuration through kafka-configs • Different encryption levels (SHA-256, SHA-512) • CAVEAT: Need to add any super user as an entity as well kafka-configs --zookeeper zookeeper:2182 --alter --add-config 'SCRAM-SHA-256=[password=xxxxx],SCRAM-SHA-512=[password=xxxxx]' --entity-type users --entity-name producer sasl.mechanism=SCRAM-SHA-256 security.protocol=SASL_PLAINTEXT sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="producer" password=”xxxxx";
  • 16. Kerberos • Network authentication protocol created by the MIT • sasl.enabled.mechanisms=GSSAPI • Generic Security Service Application Program Interface • External Key Distribution Center (KDC) • Service (Broker, ZooKeeper …) registers itself • sasl.kerberos.service.name must match principal • Default service names are ‘kafka’, ‘zookeeper’
  • 17. Kerberos client • Either: create a ticket with kinit (login) • Or: provide the keytab location and the principal name • List existing tickets with klist sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_client.keytab" principal="kafkaclient1@EXAMPLE.COM";
  • 18. Authorization via ACLS (Access Control Lists) Permission to access or modify resources like Topics Clusters Consumer Groups All, Literal and Prefix Allow and deny access Stored in ZooKeeper
  • 19. ACL for users 19 •kafka-acls •Can check in ZooKeeper directly ACLs are stored in ZooKeeper •Topic, Cluster, Group, TransactionId, DelegationToken •(Principal, PermissionType, Operation, Host) ACLs defined for •Confluent extension to use Group:<group-name> set in LDAP Principal for users is User:<user-name> Can use resource name ‘*’ for catch all •--resource-pattern-type prefixed (default is literal) To specify a subset of resources with the same prefix, use
  • 20. Securing ZooKeeper • Authentication • SASL • Digest • Kerberos • Authorization • Securing your nodes through Kafka • zookeeper.set.acl=true • Migrating from a non-secured node • zookeeper-security-migration
  • 21. Kafka Infrastructure Schema Registry Connect Control Center KSQL REST Proxy REST Clients
  • 22. Challenge • Clients directly connected to the brokers use SASL or mutual auth for authentication • Tools like KSQL or Connect are connected using a single user with that user’s permissions • ASK: Users of these tools need their own authentication and propagate their credentials Schema RegistryREST Client SR UserREST User REST User
  • 23. The Need for A Unified Approach • Requirements • Services connect to Kafka using TLS Mutual Auth or SASL • External access via REST needs to impersonate an internal user • Want • Single service to assign roles • Changes need to be traceable (ZooKeeper does not keep a log)
  • 24. RBAC – Role Based Access Control (Pre-defined) roles can be assigned to users or groups for a resource Stored in a Kafka topic accessed via a new Kafka interface, the MDS (Meta Data Service) Requires Confluent Server instead of Apache Kafka User authentication backed by LDAP Authorized users are given an OATHBEARER Token to identify themselves
  • 25. Roles 25 Administration roles (SystemAdmin, ClusterAdmin, UserAdmin, …) Operators ResourceOwners Developers
  • 26. Roles Assignment to User/Group CLI API CONTROL CENTER Group membership management via LDAP
  • 28. Schema Registry, Connect, KSQL, REST Proxy • Standard REST username/password security (from LDAP) • MDS Server provides OAUTHBEARER token • Credentials are propagated
  • 29. RBAC Key Benefits 29 Key Benefits Over Traditional ZK ACLs: • Efficiency with Scale • Confluent Platform-wide security • Authorization at scale - with predefined Roles and LDAP Groups as Principals • Manage multiple clusters from 1 central location • Increased Granular Policies • Connector level access control. • Granular access for Control Center users • On top of the Topic and SR Subjects • Improved Multi-Tenancy support • Items without access do not show • Delegation of Administration Responsibilities
  • 30. Requirements • Confluent Server >= CP 5.4 • LDAP (Usually Microsoft Active Directory) for • User authentication (usually Username/Password SIMPLE BIND) • Group membership for authorization • All services configured with • sasl.enabled.mechanism=OAUTHBEARER • sasl.login.callback.handler.class= io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler • metadata.bootstrap.server.urls=http://mds-server:8090 • Do not configure standard producers/consumer/streams with OAUTHBEARER • Unsupported • Would require access to MDS server 30
  • 31. Summary • Security is an important feature of a streaming platform • Encryption and ACLs provide security for clients directly accessing the Kafka brokers • RBAC adds a unified authentication and authorization interface for services around Kafka
  • 32. Further reading • https://docs.confluent.io/current/security/security_tutorial.html • https://docs.confluent.io/current/security/rbac/index.html 32