AH
Uploaded byAbdelkrim Hadjidj
177 views

Paris FOD meetup - kafka security 101

This document discusses Kafka security and provides tips for implementing it. It covers the three main aspects of Kafka security: encryption, authentication, and authorization. For encryption, it explains how to set up SSL and discusses options for end-to-end encryption. Authentication details how to use SSL client authentication or SASL mechanisms like Kerberos or PLAIN. Authorization explains managing access control lists (ACLs) stored in Zookeeper to control access. The document concludes by emphasizing the challenges of securing Kafka clients and provides advice like creating standardized client wrappers and Docker images.

Embed presentation

Kafka Security 101 & Real World Tips Stephane Maarek - DataCumulus
My Kafka Security Journey Stephane, implement Kafka Security!
Who am I? • I’m Stephane! • Consultant & Solution Architect at DataCumulus • Apache Kafka SeriesVideo Courses on Udemy • Full productions deployments (with security) • You can find me on • GitHub: https://github.com/simplesteph • LinkedIn: https://www.linkedin.com/in/stephanemaarek • Medium: https://medium.com/@stephane.maarek • Twitter: https://twitter.com/stephanemaarek • Udemy: https://udemy.com/stephane-maarek
Who has not secured Kafka?
Kafka without Security is RISKY 5 disastrous scenarios 1. Read all your data 2. Write to any topic and break your consumers 3. Intercept and read plaintext network packets 4. Delete all your Kafka data in one command without SSH 5. Kafka Connect? Database Credentials are in a Kafka Topic, plaintext
You need Kafka Security If you intend to make Kafka a cornerstone of your infrastructure
What’s Kafka Security? Disclaimer: the source of truth is always the documentation
Kafka Security in three words Encryption Authentication Authorization
Encryption in Kafka • SSL encryption = secure communications • Similar to HTTPS Super secret message Kafka Client (producer / consumer ) Kafka Brokers Port 9093 - SSL aGVsbG8gd29 ybGQgZWh… Encrypted data Kafka Client (producer / consumer ) Kafka Brokers Port 9092 - PLAINTEXT
SSL, Concretely? • Create a Certificate Authority (CA) • Generate certificates for your brokers, sign them • Make sure your broker and clients trust the CA Root. ssl.keystore.location=/home/ubuntu/ssl/kafka.server.keystore.jks ssl.keystore.password=serversecret ssl.key.password=serversecret ssl.truststore.location=/home/ubuntu/ssl/kafka.server.truststore.jks ssl.truststore.password=serversecret
SSL in the Real World • SSL lowers the performance of your brokers • You lose the zero-copy optimization • Kafka heap usage increases • CPU usage increases • SSL only allows to encrypt data in flight • Data at rest sits un-encrypted on Kafka Disk
What about end-to-end encryption? • Closed source: Apple • Open source: • https://github.com/Quicksign/kafka-encryption • https://github.com/nucypher/kafka-oss • POC in progress at DataCumulus Producer Kafka PLAINTEXT Consumer Encrypted data Encrypted data encrypt data decrypt data
Check Point Encryption Authentication Authorization
Authentication in Kafka • Clients need to have and prove their identity • ~= Login (username / password or token) Kafka Client Kafka Broker Authentication data Verify authentication Client is authenticated
99 Forms Of Authentication But Easy Ain’t One • SSL Authentication: two way client authentication • SASL (Simple Authentication and Security Layer): • SASL/GSSAPI (Kerberos) – v0.9.0.0+ - Enterprises (Microsoft AD) • SASL/PLAIN – v0.10.0.0+ - Passwords hardcoded in broker • SASL/SCRAM-SHA-256/512 – v0.10.2.0+ - Passwords in Zookeeper (secure it) • SASL/OAUTHBEARER – v2.0+ - Leverage OAuth 2 • Write your own (contribute back!) • Extend SASL/PLAIN and SASL/SCRAM with KIP-86 (change credentials store) • Real world advice: choose the authentication mechanism you already have in your enterprise
Take-aways from the battlefield • SSL authentication makes it really hard to revoke authentication • SASL (Simple Authentication and Security Layer) is not simple (YMMV) • Kerberos is by far the hardest to setup right. Errors are cryptic • This is the most challenging part of the Kafka security journey
Authentication in Kerberos, concretely? 1. Create Kerberos or use Active Directory 2. Ensure Kafka servers have correct CNAME & hostname 3. Generate credentials for the brokers 4. Generate KeyTabs for the brokers from the credentials 5. Create a JAAS file: KafkaServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/tmp/kafka.service.keytab" principal="kafka/<<KAFKA-SERVER-INTERNAL-DNS>>@KAFKA.SECURE"; };
Authentication in Kerberos, concretely? Continued… • Start Kafka and use java options to reference JAAS file • Add properties to Kafka: • Start Kafka • Pray ! advertised.listeners=SASL_SSL://<<KAFKA-SERVER-DNS>>:9094 sasl.enabled.mechanisms=GSSAPI sasl.kerberos.service.name=kafka
Real-World Tips: Authentication • Turn on DEBUG log during setup! • Go slow • Ensure CNAME and PTR records are correct • Scrape and repeat can sometimes solve issues • Automate
Almost there… Encryption Authentication Authorization
Authorisation in Kafka • Kafka knows our client’s identity • + Authorization rules: • ”User alice can read topic finance” • ”User bob cannot write topic trucks” • = Security • ACL (Access Control Lists) have to be maintained by administrators
ACLs, where are they? • Default:ACLs are stored in Zookeeper • Must secure Zookeeper (network rules or authentication) • OR write your own authorizer (AD, LDAP, a database, Kafka…)
Managing ACLs Producers • Adding Permissions: • Shortcuts for producer: ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:myproducer --operation Write --topic mytopic ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:myproducer --producer --topic mytopic
Managing ACLs Consumers • Adding Permissions: • Shortcut for consumers: ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:myconsumer --operation Read --topic mytopic ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:writer --consumer --topic mytopic -–group mygroup ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:myconsumer --operation Write --group mygroup
Managing ACLs at Scale? • Look into Kafka Security Manager (https://github.com/simplesteph/kafka-security-manager )
Real World Tips on ACLs • Authorisation denials will be logged as INFO in the Kafka log. • Define your broker as super users • Careful with: allow.everyone.if.no.acl.found=true • ACLs can be applied to: • Topics: Create, Read, Describe,Write, etc… • Groups: Read,Write, Describe • Cluster: DescribeConfigs,AlterConfigs, Create • Wildcards are supported in Kafka 2.0! (useful for Kafka Streams)
Cluster Security Broker Broker Broker ZookeeperSASL_SSL SASL Clients SASL_SSL Kafka Cluster Zookeeper Cluster
Kafka Server is Secured ! Done? Encryption Authentication Authorization
Security Journey Continued… Stephane, secure Kafka Clients!
Broker Security Client Security YOU
Kafka Client Security is the real challenge • Technical Challenge: • Java Clients: easy • Non Java Clients: please use a client that wraps librdkafka • People Challenge: • Kafka Administrator: I’m a security guru! But I don’t want to secure all the apps • Kafka Developer: wt* is security?
Client Security in Java security.protocol=SASL_SSL sasl.kerberos.service.name=kafka ssl.truststore.location=/home/kafka/ssl/kafka.client.truststore.jks ssl.truststore.password=clientpass sasl.jaas.config='com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/etc/security/keytabs/client.service.keytab" principal="clientusername";' • It’s not fun • It’s not easy • It’s error prone
Kafka Clients are not tailored to your security needs • Observation 1: Default Kafka clients have every options for security • Observation 2: Your enterprise will only have one security setup • Observation 3: Every client security configuration will look the same • Take-away: don’t use the default Kafka clients
Real World Advice #1 Distribute your own wrapped Kafka Clients • Developers love nice APIs: • Standardized applications • No copy and paste errors • Centralized debugging • Reduced learning curve for devs new MyCorpKafkaProducer(bootstrapServers, keySerializer, valueSerializer) .withSSL(sslEnabled, pathToTrustStore) .withAuth(authEnabled, pathToKeyTab, usernameOrPrincipal) .withSchemaRegistry(url) .withExtraProperties(properties) .build()
Real World Advice #2 Create a Kafka Client Base Docker Image Security at scale goes hands in hands with consistency. • Embed modified Java Truststore • Standard Retrieval of SSL certificates • Standard Retrieval of Credentials fromVault / Secure Store • Kafka environment switches, Security switches • Bootstrap Server Discovery & Schema Registry Discovery • Extend to Kafka Connect & Schema Registry
Real World Advice #3 Make a checklist before going to prod • What’s the application username? • Are all ACLs listed and created? • Is the application using the MyCorp Kafka clients? • Is the application running in the standardized Docker Container? • Are quotas defined for this application? • Is the application monitored? • …Check? Release!
Next steps Where to take your learning from here!
Okay, I want to implement security! What’s next? • Read the docs: • Kafka Documentation: https://kafka.apache.org/documentation/#security • Confluent Documentation: https://docs.confluent.io/current/security.html • Read some blogs: • https://medium.com/@stephane.maarek/introduction-to-apache-kafka-security- c8951d410adf • https://www.confluent.io/blog/apache-kafka-security-authorization-authentication- encryption/ • Video Course: • ConfluentYoutube: https://www.youtube.com/watch?v=MsQo-yoVleU&t=21s • Udemy: https://www.udemy.com/apache-kafka-security (coupon KAFKASUMMIT18)
Thank you! Any questions?

More Related Content

PPTX
Hashicorp Vault ppt
byShrey Agarwal
 
PPTX
Managing your secrets in a cloud environment
byTaswar Bhatti
 
PDF
Securing Cassandra The Right Way
byDataStax Academy
 
PPTX
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
PPTX
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
PDF
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
Unsafe SSL webinar
byWolfgang Kandek
 
PPTX
Using Vault for your Nodejs Secrets
byTaswar Bhatti
 
Hashicorp Vault ppt
byShrey Agarwal
 
Managing your secrets in a cloud environment
byTaswar Bhatti
 
Securing Cassandra The Right Way
byDataStax Academy
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
Unsafe SSL webinar
byWolfgang Kandek
 
Using Vault for your Nodejs Secrets
byTaswar Bhatti
 

What's hot

PPTX
Cloud patterns forwardjs April Ottawa 2019
byTaswar Bhatti
 
PPTX
Forging Trusts for Deception in Active Directory
byNikhil Mittal
 
PDF
Cassandra and security
byBen Bromhead
 
PDF
Overview of secret management solutions and architecture
byYuechuan (Mike) Chen
 
PDF
Secret Management with Hashicorp’s Vault
byAWS Germany
 
PDF
Dynamic Database Credentials: Security Contingency Planning
bySean Chittenden
 
PPTX
Red Team Revenge - Attacking Microsoft ATA
byNikhil Mittal
 
PDF
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
byJeff Horwitz
 
PDF
Managing secrets at scale
byAlex Schoof
 
PPTX
Nodejsvault austin2019
byTaswar Bhatti
 
PPTX
Secret Management with Hashicorp Vault and Consul on Kubernetes
byAn Nguyen
 
PDF
Using Vault to decouple MySQL Secrets
byDerek Downey
 
PPTX
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
byTom Kerkhove
 
PDF
Hardening cassandra q2_2016
byzznate
 
PPTX
Keeping a Secret with HashiCorp Vault
byMitchell Pronschinske
 
PDF
Shield talk elasticsearch meetup Zurich 27.05.2015
byem_mu
 
PPTX
Azure Key Vault - Getting Started
byTaswar Bhatti
 
PPTX
Token Authentication in ASP.NET Core
byStormpath
 
PDF
Issuing temporary credentials for my sql using hashicorp vault
byOlinData
 
Cloud patterns forwardjs April Ottawa 2019
byTaswar Bhatti
 
Forging Trusts for Deception in Active Directory
byNikhil Mittal
 
Cassandra and security
byBen Bromhead
 
Overview of secret management solutions and architecture
byYuechuan (Mike) Chen
 
Secret Management with Hashicorp’s Vault
byAWS Germany
 
Dynamic Database Credentials: Security Contingency Planning
bySean Chittenden
 
Red Team Revenge - Attacking Microsoft ATA
byNikhil Mittal
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
byJeff Horwitz
 
Managing secrets at scale
byAlex Schoof
 
Nodejsvault austin2019
byTaswar Bhatti
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
byAn Nguyen
 
Using Vault to decouple MySQL Secrets
byDerek Downey
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
byTom Kerkhove
 
Hardening cassandra q2_2016
byzznate
 
Keeping a Secret with HashiCorp Vault
byMitchell Pronschinske
 
Shield talk elasticsearch meetup Zurich 27.05.2015
byem_mu
 
Azure Key Vault - Getting Started
byTaswar Bhatti
 
Token Authentication in ASP.NET Core
byStormpath
 
Issuing temporary credentials for my sql using hashicorp vault
byOlinData
 

Similar to Paris FOD meetup - kafka security 101

PDF
Kafka Security 101 and Real-World Tips
byconfluent
 
PDF
Securing Kafka
byconfluent
 
PDF
Kafka 2018 - Securing Kafka the Right Way
bySaylor Twift
 
PDF
Apache Kafka® Security Overview
byconfluent
 
PPTX
Kafka Security
byDataWorks Summit/Hadoop Summit
 
PPTX
How to Lock Down Apache Kafka and Keep Your Streams Safe
byconfluent
 
PPTX
Apache Kafka Security
byDataWorks Summit/Hadoop Summit
 
PPTX
Kafka Security
bySriharsha Chintalapani
 
PDF
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
byconfluent
 
PPTX
Visualizing Kafka Security
byDataWorks Summit
 
PDF
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
byconfluent
 
PPT
symmetric key distribution using public-key encryption
byjanwepooja
 
PDF
Handling GDPR with Apache Kafka: How to Comply Without Freaking Out? (David J...
byconfluent
 
PPTX
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
byconfluent
 
PPTX
Kafka Tutorial: Kafka Security
byJean-Paul Azar
 
PPTX
Securing kafka with 500 billion messages a day
byYanlin (Thomas) Zhou
 
PPTX
Custom management apps for Kafka
bySotaro Kimura
 
PDF
Knock Knock, Who’s There? With Justin Chen and Dhruv Jauhar | Current 2022
byHostedbyConfluent
 
PDF
When Securing Access to Data is About Life and Death
byHostedbyConfluent
 
PDF
Overcoming the Perils of Kafka Secret Sprawl (Tejal Adsul, Confluent) Kafka S...
byconfluent
 
Kafka Security 101 and Real-World Tips
byconfluent
 
Securing Kafka
byconfluent
 
Kafka 2018 - Securing Kafka the Right Way
bySaylor Twift
 
Apache Kafka® Security Overview
byconfluent
 
Kafka Security
byDataWorks Summit/Hadoop Summit
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
byconfluent
 
Apache Kafka Security
byDataWorks Summit/Hadoop Summit
 
Kafka Security
bySriharsha Chintalapani
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
byconfluent
 
Visualizing Kafka Security
byDataWorks Summit
 
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
byconfluent
 
symmetric key distribution using public-key encryption
byjanwepooja
 
Handling GDPR with Apache Kafka: How to Comply Without Freaking Out? (David J...
byconfluent
 
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
byconfluent
 
Kafka Tutorial: Kafka Security
byJean-Paul Azar
 
Securing kafka with 500 billion messages a day
byYanlin (Thomas) Zhou
 
Custom management apps for Kafka
bySotaro Kimura
 
Knock Knock, Who’s There? With Justin Chen and Dhruv Jauhar | Current 2022
byHostedbyConfluent
 
When Securing Access to Data is About Life and Death
byHostedbyConfluent
 
Overcoming the Perils of Kafka Secret Sprawl (Tejal Adsul, Confluent) Kafka S...
byconfluent
 

More from Abdelkrim Hadjidj

PDF
Disaster Recovery and High Availability with Kafka, SRM and MM2
byAbdelkrim Hadjidj
 
PDF
Hive 3 a new horizon
byAbdelkrim Hadjidj
 
PDF
Paris FOD meetup - koordinator
byAbdelkrim Hadjidj
 
PDF
Paris FOD meetup - Streams Messaging Manager
byAbdelkrim Hadjidj
 
PDF
FOD Paris Meetup - Global Data Management with DataPlane Services (DPS)
byAbdelkrim Hadjidj
 
PDF
Paris FOD Meetup #5 Hortonworks Presentation
byAbdelkrim Hadjidj
 
PDF
Paris FOD Meetup #5 Cognizant Presentation
byAbdelkrim Hadjidj
 
PDF
Apache NiFi: latest developments for flow management at scale
byAbdelkrim Hadjidj
 
PPTX
Future of Data Meetup : Boontadata
byAbdelkrim Hadjidj
 
Disaster Recovery and High Availability with Kafka, SRM and MM2
byAbdelkrim Hadjidj
 
Hive 3 a new horizon
byAbdelkrim Hadjidj
 
Paris FOD meetup - koordinator
byAbdelkrim Hadjidj
 
Paris FOD meetup - Streams Messaging Manager
byAbdelkrim Hadjidj
 
FOD Paris Meetup - Global Data Management with DataPlane Services (DPS)
byAbdelkrim Hadjidj
 
Paris FOD Meetup #5 Hortonworks Presentation
byAbdelkrim Hadjidj
 
Paris FOD Meetup #5 Cognizant Presentation
byAbdelkrim Hadjidj
 
Apache NiFi: latest developments for flow management at scale
byAbdelkrim Hadjidj
 
Future of Data Meetup : Boontadata
byAbdelkrim Hadjidj
 

Recently uploaded

PPT
Java Swing in java object oriented progaming.ppt
byCarlos701746
 
PDF
2= https___10-0-0-0-1.ph_.pdf10.0.0.0.1,
byPanel Router
 
PPTX
Introduction to Data Warehouse and Schema.pptx
byputusurya12
 
PPTX
Summary of 2025 Change Capability Survey Results.pptx
bymelanie841238
 
PPT
Transportation Management Plan (Effectiveness Study).ppt
byVlademirGebDubouzet1
 
PPTX
MC25104 - Data structures and algorithms using python Python_OOP_Theory_and_P...
byjanaki raman
 
PPTX
Approach to Intra-Hepatic Cholestasis.pptx
byA Vijula Anbazhagan
 
PPTX
2B.Carbon-Neutral Technologies and Negative Emission Strategies for Net-Zero ...
byrameshkumar01430
 
PPTX
IR spectrophotometer is an analytical instrument
byDileep Singh Baghel
 
PPTX
spam detacting system.pptx for mca students
bybibhutipanda012
 
PDF
The Gemini Advantage: A Strategic Overview of Google’s Multimodal AI Ecosystem
byRohit Garg
 
PPTX
MULTIPLE REGRESSION AND CORRELATION OF IMPORTS, THE NATIONAL INCOME AND RELAT...
byaliyuabdullahibage60
 
PPTX
Correlation-Regression analysis -16.11.25.pptx
byFahmida Swati
 
PDF
Interpretability and Explainability Module 4.pdf
byShiwani Gupta
 
PDF
From Microsoft SCOM to Dashboards | Grafana, SquaredUp, Power BI, Azure Workb...
byNiCE IT Management Solutions GmbH
 
PDF
Steven Imrisek | Quantitative UX Research Portfolio: Two Digital Health Case ...
bysteven180178
 
PPTX
Anjna_DFT_PPTeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.pptx
byBENGUERBAYacine
 
PPTX
SAC 28 Finals Data Insights of Startup Investing 2025 1119.pptx
byElaine Werffeli
 
DOCX
Leadership as a Catalyst How Nutrition Leadership Influences Health Financing...
byGetachewKebede3
 
PDF
2022.05.20_Presentazione_Luca-Ginnari-Satriani_Impurities.pdf
byFbioTeixeiradaSilva
 
Java Swing in java object oriented progaming.ppt
byCarlos701746
 
2= https___10-0-0-0-1.ph_.pdf10.0.0.0.1,
byPanel Router
 
Introduction to Data Warehouse and Schema.pptx
byputusurya12
 
Summary of 2025 Change Capability Survey Results.pptx
bymelanie841238
 
Transportation Management Plan (Effectiveness Study).ppt
byVlademirGebDubouzet1
 
MC25104 - Data structures and algorithms using python Python_OOP_Theory_and_P...
byjanaki raman
 
Approach to Intra-Hepatic Cholestasis.pptx
byA Vijula Anbazhagan
 
2B.Carbon-Neutral Technologies and Negative Emission Strategies for Net-Zero ...
byrameshkumar01430
 
IR spectrophotometer is an analytical instrument
byDileep Singh Baghel
 
spam detacting system.pptx for mca students
bybibhutipanda012
 
The Gemini Advantage: A Strategic Overview of Google’s Multimodal AI Ecosystem
byRohit Garg
 
MULTIPLE REGRESSION AND CORRELATION OF IMPORTS, THE NATIONAL INCOME AND RELAT...
byaliyuabdullahibage60
 
Correlation-Regression analysis -16.11.25.pptx
byFahmida Swati
 
Interpretability and Explainability Module 4.pdf
byShiwani Gupta
 
From Microsoft SCOM to Dashboards | Grafana, SquaredUp, Power BI, Azure Workb...
byNiCE IT Management Solutions GmbH
 
Steven Imrisek | Quantitative UX Research Portfolio: Two Digital Health Case ...
bysteven180178
 
Anjna_DFT_PPTeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.pptx
byBENGUERBAYacine
 
SAC 28 Finals Data Insights of Startup Investing 2025 1119.pptx
byElaine Werffeli
 
Leadership as a Catalyst How Nutrition Leadership Influences Health Financing...
byGetachewKebede3
 
2022.05.20_Presentazione_Luca-Ginnari-Satriani_Impurities.pdf
byFbioTeixeiradaSilva
 

Paris FOD meetup - kafka security 101

  • 1.
    Kafka Security 101 &Real World Tips Stephane Maarek - DataCumulus
  • 2.
    My Kafka SecurityJourney Stephane, implement Kafka Security!
  • 3.
    Who am I? •I’m Stephane! • Consultant & Solution Architect at DataCumulus • Apache Kafka SeriesVideo Courses on Udemy • Full productions deployments (with security) • You can find me on • GitHub: https://github.com/simplesteph • LinkedIn: https://www.linkedin.com/in/stephanemaarek • Medium: https://medium.com/@stephane.maarek • Twitter: https://twitter.com/stephanemaarek • Udemy: https://udemy.com/stephane-maarek
  • 4.
    Who has notsecured Kafka?
  • 5.
    Kafka without Securityis RISKY 5 disastrous scenarios 1. Read all your data 2. Write to any topic and break your consumers 3. Intercept and read plaintext network packets 4. Delete all your Kafka data in one command without SSH 5. Kafka Connect? Database Credentials are in a Kafka Topic, plaintext
  • 6.
    You need KafkaSecurity If you intend to make Kafka a cornerstone of your infrastructure
  • 7.
    What’s Kafka Security? Disclaimer:the source of truth is always the documentation
  • 8.
    Kafka Security inthree words Encryption Authentication Authorization
  • 9.
    Encryption in Kafka •SSL encryption = secure communications • Similar to HTTPS Super secret message Kafka Client (producer / consumer ) Kafka Brokers Port 9093 - SSL aGVsbG8gd29 ybGQgZWh… Encrypted data Kafka Client (producer / consumer ) Kafka Brokers Port 9092 - PLAINTEXT
  • 10.
    SSL, Concretely? • Createa Certificate Authority (CA) • Generate certificates for your brokers, sign them • Make sure your broker and clients trust the CA Root. ssl.keystore.location=/home/ubuntu/ssl/kafka.server.keystore.jks ssl.keystore.password=serversecret ssl.key.password=serversecret ssl.truststore.location=/home/ubuntu/ssl/kafka.server.truststore.jks ssl.truststore.password=serversecret
  • 11.
    SSL in theReal World • SSL lowers the performance of your brokers • You lose the zero-copy optimization • Kafka heap usage increases • CPU usage increases • SSL only allows to encrypt data in flight • Data at rest sits un-encrypted on Kafka Disk
  • 12.
    What about end-to-endencryption? • Closed source: Apple • Open source: • https://github.com/Quicksign/kafka-encryption • https://github.com/nucypher/kafka-oss • POC in progress at DataCumulus Producer Kafka PLAINTEXT Consumer Encrypted data Encrypted data encrypt data decrypt data
  • 13.
  • 14.
    Authentication in Kafka •Clients need to have and prove their identity • ~= Login (username / password or token) Kafka Client Kafka Broker Authentication data Verify authentication Client is authenticated
  • 15.
    99 Forms OfAuthentication But Easy Ain’t One • SSL Authentication: two way client authentication • SASL (Simple Authentication and Security Layer): • SASL/GSSAPI (Kerberos) – v0.9.0.0+ - Enterprises (Microsoft AD) • SASL/PLAIN – v0.10.0.0+ - Passwords hardcoded in broker • SASL/SCRAM-SHA-256/512 – v0.10.2.0+ - Passwords in Zookeeper (secure it) • SASL/OAUTHBEARER – v2.0+ - Leverage OAuth 2 • Write your own (contribute back!) • Extend SASL/PLAIN and SASL/SCRAM with KIP-86 (change credentials store) • Real world advice: choose the authentication mechanism you already have in your enterprise
  • 16.
    Take-aways from thebattlefield • SSL authentication makes it really hard to revoke authentication • SASL (Simple Authentication and Security Layer) is not simple (YMMV) • Kerberos is by far the hardest to setup right. Errors are cryptic • This is the most challenging part of the Kafka security journey
  • 17.
    Authentication in Kerberos,concretely? 1. Create Kerberos or use Active Directory 2. Ensure Kafka servers have correct CNAME & hostname 3. Generate credentials for the brokers 4. Generate KeyTabs for the brokers from the credentials 5. Create a JAAS file: KafkaServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/tmp/kafka.service.keytab" principal="kafka/<<KAFKA-SERVER-INTERNAL-DNS>>@KAFKA.SECURE"; };
  • 18.
    Authentication in Kerberos,concretely? Continued… • Start Kafka and use java options to reference JAAS file • Add properties to Kafka: • Start Kafka • Pray ! advertised.listeners=SASL_SSL://<<KAFKA-SERVER-DNS>>:9094 sasl.enabled.mechanisms=GSSAPI sasl.kerberos.service.name=kafka
  • 19.
    Real-World Tips: Authentication •Turn on DEBUG log during setup! • Go slow • Ensure CNAME and PTR records are correct • Scrape and repeat can sometimes solve issues • Automate
  • 20.
  • 21.
    Authorisation in Kafka •Kafka knows our client’s identity • + Authorization rules: • ”User alice can read topic finance” • ”User bob cannot write topic trucks” • = Security • ACL (Access Control Lists) have to be maintained by administrators
  • 22.
    ACLs, where arethey? • Default:ACLs are stored in Zookeeper • Must secure Zookeeper (network rules or authentication) • OR write your own authorizer (AD, LDAP, a database, Kafka…)
  • 23.
    Managing ACLs Producers • AddingPermissions: • Shortcuts for producer: ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:myproducer --operation Write --topic mytopic ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:myproducer --producer --topic mytopic
  • 24.
    Managing ACLs Consumers • AddingPermissions: • Shortcut for consumers: ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:myconsumer --operation Read --topic mytopic ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:writer --consumer --topic mytopic -–group mygroup ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:myconsumer --operation Write --group mygroup
  • 25.
    Managing ACLs atScale? • Look into Kafka Security Manager (https://github.com/simplesteph/kafka-security-manager )
  • 26.
    Real World Tipson ACLs • Authorisation denials will be logged as INFO in the Kafka log. • Define your broker as super users • Careful with: allow.everyone.if.no.acl.found=true • ACLs can be applied to: • Topics: Create, Read, Describe,Write, etc… • Groups: Read,Write, Describe • Cluster: DescribeConfigs,AlterConfigs, Create • Wildcards are supported in Kafka 2.0! (useful for Kafka Streams)
  • 27.
  • 28.
    Kafka Server isSecured ! Done? Encryption Authentication Authorization
  • 29.
  • 30.
  • 31.
    Kafka Client Security isthe real challenge • Technical Challenge: • Java Clients: easy • Non Java Clients: please use a client that wraps librdkafka • People Challenge: • Kafka Administrator: I’m a security guru! But I don’t want to secure all the apps • Kafka Developer: wt* is security?
  • 32.
    Client Security inJava security.protocol=SASL_SSL sasl.kerberos.service.name=kafka ssl.truststore.location=/home/kafka/ssl/kafka.client.truststore.jks ssl.truststore.password=clientpass sasl.jaas.config='com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/etc/security/keytabs/client.service.keytab" principal="clientusername";' • It’s not fun • It’s not easy • It’s error prone
  • 33.
    Kafka Clients arenot tailored to your security needs • Observation 1: Default Kafka clients have every options for security • Observation 2: Your enterprise will only have one security setup • Observation 3: Every client security configuration will look the same • Take-away: don’t use the default Kafka clients
  • 34.
    Real World Advice#1 Distribute your own wrapped Kafka Clients • Developers love nice APIs: • Standardized applications • No copy and paste errors • Centralized debugging • Reduced learning curve for devs new MyCorpKafkaProducer(bootstrapServers, keySerializer, valueSerializer) .withSSL(sslEnabled, pathToTrustStore) .withAuth(authEnabled, pathToKeyTab, usernameOrPrincipal) .withSchemaRegistry(url) .withExtraProperties(properties) .build()
  • 35.
    Real World Advice#2 Create a Kafka Client Base Docker Image Security at scale goes hands in hands with consistency. • Embed modified Java Truststore • Standard Retrieval of SSL certificates • Standard Retrieval of Credentials fromVault / Secure Store • Kafka environment switches, Security switches • Bootstrap Server Discovery & Schema Registry Discovery • Extend to Kafka Connect & Schema Registry
  • 36.
    Real World Advice#3 Make a checklist before going to prod • What’s the application username? • Are all ACLs listed and created? • Is the application using the MyCorp Kafka clients? • Is the application running in the standardized Docker Container? • Are quotas defined for this application? • Is the application monitored? • …Check? Release!
  • 37.
    Next steps Where totake your learning from here!
  • 38.
    Okay, I wantto implement security! What’s next? • Read the docs: • Kafka Documentation: https://kafka.apache.org/documentation/#security • Confluent Documentation: https://docs.confluent.io/current/security.html • Read some blogs: • https://medium.com/@stephane.maarek/introduction-to-apache-kafka-security- c8951d410adf • https://www.confluent.io/blog/apache-kafka-security-authorization-authentication- encryption/ • Video Course: • ConfluentYoutube: https://www.youtube.com/watch?v=MsQo-yoVleU&t=21s • Udemy: https://www.udemy.com/apache-kafka-security (coupon KAFKASUMMIT18)
  • 39.