SlideShare ist ein Scribd-Unternehmen logo

Apache Kafka® Security Overview

confluent
confluent

Apache Kafka® Security Overview, Sven Erik Knop, Senior Solutions Architect, Confluent https://www.meetup.com/Dublin-Apache-Kafka-Meetup-by-Confluent/events/273462098/

Technologie
1 von 34
Apache Kafka Security Overview Sven Erik Knop, Senior Solutions Architect
Who am I? • Sven Erik Knop • Senior Solutions Architect • Architect, Developer, Presenter • @sven_erik_knop 2
Agenda 3 Why security? Implementation Encryption Authentication Authorization RBAC Why RBAC? Implementation Impact
Reminder: What is Apache Kafka? • Distributed, fault-tolerant and immutable log • Use cases • Publish-subscribe queue • ETL (Extract, Transform, Load) • Event streaming platform • Rich infrastructure through connectors and language APIs • Open Source, with enterprise support and enhancements through companies like Confluent 4
5 Apache Kafka before security (<0.9) ¡ Kafka is infrastructure hidden behind the firewall ¡ Servers within the network are implicitly trusted ¡ No governance required (or possible)
New challenges Multi-tenancy Topics with sensitive or confidential data Regulatory requirements
Security Features added in Kafka 0.9 Encryption Authentication Authorization Connection to ZooKeeper
Encryption 8 Encryption in flight TLS = Transport Layer Encryption Encryption at rest OS or file system feature End-to-End encryption Needs to be built into the producers and consumers
Encryption via TLS (Transport Layer Security) Prevents eavesdropping Prevents man- in-the-middle attacks Industry- standard encryption Broker certificate signed by either • External, well-known Certificate Authority (CA) – GlobalSign, Let’s Encrypt … • Internal CA, with clients using a truststore to verify its identity security.protocol=SSL (instead of the default PLAINTEXT) ssl.endpoint.identification.algorithm=https
TLS Mutual Authentication If enabled, provides trust into client connections Principal is used for authorization Certificates signed by trusted authority (CA) Clients additionally use a keystore to provide their own identity
SASL (Simple Authentication and Security Layer) 11 Framework for authentication and data security Decouples authentication mechanisms from the application protocols Common interface for different implementations
SASL Implementations 12 Implementation Class Comments PLAIN org.apache.kafka.common.security.plain.PlainLoginModule Username/Password SCRAM org.apache.kafka.common.security.scram.ScramLoginModule SCRAM_SHA_(256|512) GSSAPI com.sun.security.auth.module.Krb5LoginModule Kerberos OAUTHBEARER org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule Token based used for RBAC security.protocol = SASL_PLAINTEXT | SASL_SSL sasl.mechanism = PLAIN | SCRAM_SHA_256 | SCRAM_SHA_512 | GSSAPI | OAUTHBEARER Configured in the brokers and the clients through a JAAS file
JAAS 13 • Java Authentication and Authorization Service • For services (Kafka, ZooKeeper) grouped by section names • KafkaServer • KafkaClient • Server (for ZooKeeper Server) • Client (for ZooKeeper Client, e.g. Kafka) • Alternatively, specify as a property KafkaServer { org.apache.kafka.common.security.scram.ScramLoginModule required username="kafka" password="kafka"; }; Client { org.apache.zookeeper.server.auth.DigestLoginModule required username="admin" password=”admin-secret"; }; sasl.mechanism=SCRAM-SHA-256 security.protocol=SASL_PLAINTEXT sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="producer" password="producer-secret";
sasl.mechanism=PLAIN • Username/Password • Broker • By default, holds a list of username/password in the SASL config file • Requires rolling restart when users are added or deleted • Can be overwritten, for example • listener.name.sasl_plaintext.plain.sasl.server.callback.handler.class= io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler • Client sasl.mechanism=PLAIN security.protocol=SASL_PLAINTEXT sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="alice" password="alice-secret" ;
SCRAM • Salted Challenge Response Authentication Mechanism • Users and passwords are stored in ZooKeeper • Dynamic configuration through kafka-configs • Different encryption levels (SHA-256, SHA-512) • CAVEAT: Need to add any super user as an entity as well kafka-configs --zookeeper zookeeper:2182 --alter --add-config 'SCRAM-SHA-256=[password=xxxxx],SCRAM-SHA-512=[password=xxxxx]' --entity-type users --entity-name producer sasl.mechanism=SCRAM-SHA-256 security.protocol=SASL_PLAINTEXT sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="producer" password=”xxxxx";
Kerberos • Network authentication protocol created by the MIT • sasl.enabled.mechanisms=GSSAPI • Generic Security Service Application Program Interface • External Key Distribution Center (KDC) • Service (Broker, ZooKeeper …) registers itself • sasl.kerberos.service.name must match principal • Default service names are ‘kafka’, ‘zookeeper’
Kerberos client • Either: create a ticket with kinit (login) • Or: provide the keytab location and the principal name • List existing tickets with klist sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_client.keytab" principal="kafkaclient1@EXAMPLE.COM";
Authorization via ACLS (Access Control Lists) Permission to access or modify resources like Topics Clusters Consumer Groups All, Literal and Prefix Allow and deny access Stored in ZooKeeper
ACL for users 19 •kafka-acls •Can check in ZooKeeper directly ACLs are stored in ZooKeeper •Topic, Cluster, Group, TransactionId, DelegationToken •(Principal, PermissionType, Operation, Host) ACLs defined for •Confluent extension to use Group:<group-name> set in LDAP Principal for users is User:<user-name> Can use resource name ‘*’ for catch all •--resource-pattern-type prefixed (default is literal) To specify a subset of resources with the same prefix, use
Securing ZooKeeper • Authentication • SASL • Digest • Kerberos • Authorization • Securing your nodes through Kafka • zookeeper.set.acl=true • Migrating from a non-secured node • zookeeper-security-migration
Kafka Infrastructure Schema Registry Connect Control Center KSQL REST Proxy REST Clients
Challenge • Clients directly connected to the brokers use SASL or mutual auth for authentication • Tools like KSQL or Connect are connected using a single user with that user’s permissions • ASK: Users of these tools need their own authentication and propagate their credentials Schema RegistryREST Client SR UserREST User REST User
The Need for A Unified Approach • Requirements • Services connect to Kafka using TLS Mutual Auth or SASL • External access via REST needs to impersonate an internal user • Want • Single service to assign roles • Changes need to be traceable (ZooKeeper does not keep a log)
RBAC – Role Based Access Control (Pre-defined) roles can be assigned to users or groups for a resource Stored in a Kafka topic accessed via a new Kafka interface, the MDS (Meta Data Service) Requires Confluent Server instead of Apache Kafka User authentication backed by LDAP Authorized users are given an OATHBEARER Token to identify themselves
Roles 25 Administration roles (SystemAdmin, ClusterAdmin, UserAdmin, …) Operators ResourceOwners Developers
Roles Assignment to User/Group CLI API CONTROL CENTER Group membership management via LDAP
Confluent Control Center 27
Schema Registry, Connect, KSQL, REST Proxy • Standard REST username/password security (from LDAP) • MDS Server provides OAUTHBEARER token • Credentials are propagated
RBAC Key Benefits 29 Key Benefits Over Traditional ZK ACLs: • Efficiency with Scale • Confluent Platform-wide security • Authorization at scale - with predefined Roles and LDAP Groups as Principals • Manage multiple clusters from 1 central location • Increased Granular Policies • Connector level access control. • Granular access for Control Center users • On top of the Topic and SR Subjects • Improved Multi-Tenancy support • Items without access do not show • Delegation of Administration Responsibilities
Requirements • Confluent Server >= CP 5.4 • LDAP (Usually Microsoft Active Directory) for • User authentication (usually Username/Password SIMPLE BIND) • Group membership for authorization • All services configured with • sasl.enabled.mechanism=OAUTHBEARER • sasl.login.callback.handler.class= io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler • metadata.bootstrap.server.urls=http://mds-server:8090 • Do not configure standard producers/consumer/streams with OAUTHBEARER • Unsupported • Would require access to MDS server 30
Summary • Security is an important feature of a streaming platform • Encryption and ACLs provide security for clients directly accessing the Kafka brokers • RBAC adds a unified authentication and authorization interface for services around Kafka
Further reading • https://docs.confluent.io/current/security/security_tutorial.html • https://docs.confluent.io/current/security/rbac/index.html 32
Any questions? 33
Apache Kafka® Security Overview

Empfohlen

Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaJeff Holoman
 
ksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database SystemksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database Systemconfluent
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka SecurityDataWorks Summit
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security DataWorks Summit/Hadoop Summit
 
From Zero to Hero with Kafka Connect
From Zero to Hero with Kafka ConnectFrom Zero to Hero with Kafka Connect
From Zero to Hero with Kafka Connectconfluent
 
Producer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaProducer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaJiangjie Qin
 
Apache Kafka Fundamentals for Architects, Admins and Developers
Apache Kafka Fundamentals for Architects, Admins and DevelopersApache Kafka Fundamentals for Architects, Admins and Developers
Apache Kafka Fundamentals for Architects, Admins and Developersconfluent
 
Getting Started with Confluent Schema Registry
Getting Started with Confluent Schema RegistryGetting Started with Confluent Schema Registry
Getting Started with Confluent Schema Registryconfluent
 

Empfohlen

Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaJeff Holoman
 
ksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database SystemksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database Systemconfluent
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka SecurityDataWorks Summit
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security DataWorks Summit/Hadoop Summit
 
From Zero to Hero with Kafka Connect
From Zero to Hero with Kafka ConnectFrom Zero to Hero with Kafka Connect
From Zero to Hero with Kafka Connectconfluent
 
Producer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaProducer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaJiangjie Qin
 
Apache Kafka Fundamentals for Architects, Admins and Developers
Apache Kafka Fundamentals for Architects, Admins and DevelopersApache Kafka Fundamentals for Architects, Admins and Developers
Apache Kafka Fundamentals for Architects, Admins and Developersconfluent
 
Getting Started with Confluent Schema Registry
Getting Started with Confluent Schema RegistryGetting Started with Confluent Schema Registry
Getting Started with Confluent Schema Registryconfluent
 
An Introduction to Apache Kafka
An Introduction to Apache KafkaAn Introduction to Apache Kafka
An Introduction to Apache KafkaAmir Sedighi
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Fundamentals of Apache Kafka
Fundamentals of Apache KafkaFundamentals of Apache Kafka
Fundamentals of Apache KafkaChhavi Parasher
 
kafka
kafkakafka
kafkaAmikam Snir
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka StreamsGuozhang Wang
 
Integrating Apache Kafka Into Your Environment
Integrating Apache Kafka Into Your EnvironmentIntegrating Apache Kafka Into Your Environment
Integrating Apache Kafka Into Your Environmentconfluent
 
ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!Guido Schmutz
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityJean-Paul Azar
 
Kafka Streams: What it is, and how to use it?
Kafka Streams: What it is, and how to use it?Kafka Streams: What it is, and how to use it?
Kafka Streams: What it is, and how to use it?confluent
 
Stream processing using Kafka
Stream processing using KafkaStream processing using Kafka
Stream processing using KafkaKnoldus Inc.
 
How to Build an Apache Kafka® Connector
How to Build an Apache Kafka® ConnectorHow to Build an Apache Kafka® Connector
How to Build an Apache Kafka® Connectorconfluent
 
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)Jean-Paul Azar
 
Kafka Streams State Stores Being Persistent
Kafka Streams State Stores Being PersistentKafka Streams State Stores Being Persistent
Kafka Streams State Stores Being Persistentconfluent
 
From Zero to Hero with Kafka Connect (Robin Moffat, Confluent) Kafka Summit L...
From Zero to Hero with Kafka Connect (Robin Moffat, Confluent) Kafka Summit L...From Zero to Hero with Kafka Connect (Robin Moffat, Confluent) Kafka Summit L...
From Zero to Hero with Kafka Connect (Robin Moffat, Confluent) Kafka Summit L...confluent
 
APACHE KAFKA / Kafka Connect / Kafka Streams
APACHE KAFKA / Kafka Connect / Kafka StreamsAPACHE KAFKA / Kafka Connect / Kafka Streams
APACHE KAFKA / Kafka Connect / Kafka StreamsKetan Gote
 
Apache Kafka at LinkedIn
Apache Kafka at LinkedInApache Kafka at LinkedIn
Apache Kafka at LinkedInDiscover Pinterest
 
How Apache Kafka® Works
How Apache Kafka® WorksHow Apache Kafka® Works
How Apache Kafka® Worksconfluent
 
Apache Kafka Introduction
Apache Kafka IntroductionApache Kafka Introduction
Apache Kafka IntroductionAmita Mirajkar
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022HostedbyConfluent
 
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...HostedbyConfluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WaySaylor Twift
 

Weitere ähnliche Inhalte

Was ist angesagt?

An Introduction to Apache Kafka
An Introduction to Apache KafkaAn Introduction to Apache Kafka
An Introduction to Apache KafkaAmir Sedighi
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Fundamentals of Apache Kafka
Fundamentals of Apache KafkaFundamentals of Apache Kafka
Fundamentals of Apache KafkaChhavi Parasher
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka StreamsGuozhang Wang
 
Integrating Apache Kafka Into Your Environment
Integrating Apache Kafka Into Your EnvironmentIntegrating Apache Kafka Into Your Environment
Integrating Apache Kafka Into Your Environmentconfluent
 
ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!Guido Schmutz
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityJean-Paul Azar
 
Kafka Streams: What it is, and how to use it?
Kafka Streams: What it is, and how to use it?Kafka Streams: What it is, and how to use it?
Kafka Streams: What it is, and how to use it?confluent
 
Stream processing using Kafka
Stream processing using KafkaStream processing using Kafka
Stream processing using KafkaKnoldus Inc.
 
How to Build an Apache Kafka® Connector
How to Build an Apache Kafka® ConnectorHow to Build an Apache Kafka® Connector
How to Build an Apache Kafka® Connectorconfluent
 
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)Jean-Paul Azar
 
Kafka Streams State Stores Being Persistent
Kafka Streams State Stores Being PersistentKafka Streams State Stores Being Persistent
Kafka Streams State Stores Being Persistentconfluent
 
From Zero to Hero with Kafka Connect (Robin Moffat, Confluent) Kafka Summit L...
From Zero to Hero with Kafka Connect (Robin Moffat, Confluent) Kafka Summit L...From Zero to Hero with Kafka Connect (Robin Moffat, Confluent) Kafka Summit L...
From Zero to Hero with Kafka Connect (Robin Moffat, Confluent) Kafka Summit L...confluent
 
APACHE KAFKA / Kafka Connect / Kafka Streams
APACHE KAFKA / Kafka Connect / Kafka StreamsAPACHE KAFKA / Kafka Connect / Kafka Streams
APACHE KAFKA / Kafka Connect / Kafka StreamsKetan Gote
 
How Apache Kafka® Works
How Apache Kafka® WorksHow Apache Kafka® Works
How Apache Kafka® Worksconfluent
 
Apache Kafka Introduction
Apache Kafka IntroductionApache Kafka Introduction
Apache Kafka IntroductionAmita Mirajkar
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022HostedbyConfluent
 

Was ist angesagt? (20)

An Introduction to Apache Kafka
An Introduction to Apache KafkaAn Introduction to Apache Kafka
An Introduction to Apache Kafka
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
Fundamentals of Apache Kafka
Fundamentals of Apache KafkaFundamentals of Apache Kafka
Fundamentals of Apache Kafka
 
kafka
kafkakafka
kafka
 
Introduction to Kafka Streams
Introduction to Kafka StreamsIntroduction to Kafka Streams
Introduction to Kafka Streams
 
Integrating Apache Kafka Into Your Environment
Integrating Apache Kafka Into Your EnvironmentIntegrating Apache Kafka Into Your Environment
Integrating Apache Kafka Into Your Environment
 
ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka Security
 
Kafka Streams: What it is, and how to use it?
Kafka Streams: What it is, and how to use it?Kafka Streams: What it is, and how to use it?
Kafka Streams: What it is, and how to use it?
 
Stream processing using Kafka
Stream processing using KafkaStream processing using Kafka
Stream processing using Kafka
 
How to Build an Apache Kafka® Connector
How to Build an Apache Kafka® ConnectorHow to Build an Apache Kafka® Connector
How to Build an Apache Kafka® Connector
 
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
 
Kafka Streams State Stores Being Persistent
Kafka Streams State Stores Being PersistentKafka Streams State Stores Being Persistent
Kafka Streams State Stores Being Persistent
 
From Zero to Hero with Kafka Connect (Robin Moffat, Confluent) Kafka Summit L...
From Zero to Hero with Kafka Connect (Robin Moffat, Confluent) Kafka Summit L...From Zero to Hero with Kafka Connect (Robin Moffat, Confluent) Kafka Summit L...
From Zero to Hero with Kafka Connect (Robin Moffat, Confluent) Kafka Summit L...
 
APACHE KAFKA / Kafka Connect / Kafka Streams
APACHE KAFKA / Kafka Connect / Kafka StreamsAPACHE KAFKA / Kafka Connect / Kafka Streams
APACHE KAFKA / Kafka Connect / Kafka Streams
 
Apache Kafka at LinkedIn
Apache Kafka at LinkedInApache Kafka at LinkedIn
Apache Kafka at LinkedIn
 
How Apache Kafka® Works
How Apache Kafka® WorksHow Apache Kafka® Works
How Apache Kafka® Works
 
Apache Kafka Introduction
Apache Kafka IntroductionApache Kafka Introduction
Apache Kafka Introduction
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
 
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022
Schema Registry 101 with Bill Bejeck | Kafka Summit London 2022
 

Ähnlich wie Apache Kafka® Security Overview

Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...HostedbyConfluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WaySaylor Twift
 
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...confluent
 
New Security Features in Apache HBase 0.98: An Operator's Guide
New Security Features in Apache HBase 0.98: An Operator's GuideNew Security Features in Apache HBase 0.98: An Operator's Guide
New Security Features in Apache HBase 0.98: An Operator's GuideHBaseCon
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Abdelkrim Hadjidj
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Lucidworks
 
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and VormetricProtecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and Vormetricconfluent
 
Deploying and Operating KSQL
Deploying and Operating KSQLDeploying and Operating KSQL
Deploying and Operating KSQLconfluent
 
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...confluent
 
Kafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQL
Kafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQLKafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQL
Kafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQLconfluent
 
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)Kai Wähner
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Jose Manuel Ortega Candel
 
AKS Scurity - Cluster & Kubelet Access to services
AKS Scurity - Cluster & Kubelet Access to servicesAKS Scurity - Cluster & Kubelet Access to services
AKS Scurity - Cluster & Kubelet Access to servicesParisa Moosavinezhad
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2Elana Krasner
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.Opcito Technologies
 
Consensus in Apache Kafka: From Theory to Production.pdf
Consensus in Apache Kafka: From Theory to Production.pdfConsensus in Apache Kafka: From Theory to Production.pdf
Consensus in Apache Kafka: From Theory to Production.pdfGuozhang Wang
 

Ähnlich wie Apache Kafka® Security Overview (20)

Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right Way
 
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
 
New Security Features in Apache HBase 0.98: An Operator's Guide
New Security Features in Apache HBase 0.98: An Operator's GuideNew Security Features in Apache HBase 0.98: An Operator's Guide
New Security Features in Apache HBase 0.98: An Operator's Guide
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safe
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
 
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and VormetricProtecting your data at rest with Apache Kafka by Confluent and Vormetric
Protecting your data at rest with Apache Kafka by Confluent and Vormetric
 
Deploying and Operating KSQL
Deploying and Operating KSQLDeploying and Operating KSQL
Deploying and Operating KSQL
 
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
 
Kafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQL
Kafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQLKafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQL
Kafka Summit SF 2017 - Kafka Stream Processing for Everyone with KSQL
 
Vault
VaultVault
Vault
 
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
AKS Scurity - Cluster & Kubelet Access to services
AKS Scurity - Cluster & Kubelet Access to servicesAKS Scurity - Cluster & Kubelet Access to services
AKS Scurity - Cluster & Kubelet Access to services
 
Architecting for Microservices Part 2
Architecting for Microservices Part 2Architecting for Microservices Part 2
Architecting for Microservices Part 2
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.
 
Consensus in Apache Kafka: From Theory to Production.pdf
Consensus in Apache Kafka: From Theory to Production.pdfConsensus in Apache Kafka: From Theory to Production.pdf
Consensus in Apache Kafka: From Theory to Production.pdf
 

Mehr von confluent

Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Santander Stream Processing with Apache Flink
Santander Stream Processing with Apache FlinkSantander Stream Processing with Apache Flink
Santander Stream Processing with Apache Flinkconfluent
 
Unlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsUnlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsconfluent
 
Workshop híbrido: Stream Processing con Flink
Workshop híbrido: Stream Processing con FlinkWorkshop híbrido: Stream Processing con Flink
Workshop híbrido: Stream Processing con Flinkconfluent
 
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...confluent
 
AWS Immersion Day Mapfre - Confluent
AWS Immersion Day Mapfre - ConfluentAWS Immersion Day Mapfre - Confluent
AWS Immersion Day Mapfre - Confluentconfluent
 
Eventos y Microservicios - Santander TechTalk
Eventos y Microservicios - Santander TechTalkEventos y Microservicios - Santander TechTalk
Eventos y Microservicios - Santander TechTalkconfluent
 
Q&A with Confluent Experts: Navigating Networking in Confluent Cloud
Q&A with Confluent Experts: Navigating Networking in Confluent CloudQ&A with Confluent Experts: Navigating Networking in Confluent Cloud
Q&A with Confluent Experts: Navigating Networking in Confluent Cloudconfluent
 
Citi TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Diveconfluent
 
Build real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with ConfluentBuild real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with Confluentconfluent
 
Q&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service MeshQ&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service Meshconfluent
 
Citi Tech Talk: Event Driven Kafka Microservices
Citi Tech Talk: Event Driven Kafka MicroservicesCiti Tech Talk: Event Driven Kafka Microservices
Citi Tech Talk: Event Driven Kafka Microservicesconfluent
 
Confluent & GSI Webinars series - Session 3
Confluent & GSI Webinars series - Session 3Confluent & GSI Webinars series - Session 3
Confluent & GSI Webinars series - Session 3confluent
 
Citi Tech Talk: Messaging Modernization
Citi Tech Talk: Messaging ModernizationCiti Tech Talk: Messaging Modernization
Citi Tech Talk: Messaging Modernizationconfluent
 
Citi Tech Talk: Data Governance for streaming and real time data
Citi Tech Talk: Data Governance for streaming and real time dataCiti Tech Talk: Data Governance for streaming and real time data
Citi Tech Talk: Data Governance for streaming and real time dataconfluent
 
Confluent & GSI Webinars series: Session 2
Confluent & GSI Webinars series: Session 2Confluent & GSI Webinars series: Session 2
Confluent & GSI Webinars series: Session 2confluent
 
Data In Motion Paris 2023
Data In Motion Paris 2023Data In Motion Paris 2023
Data In Motion Paris 2023confluent
 
Confluent Partner Tech Talk with Synthesis
Confluent Partner Tech Talk with SynthesisConfluent Partner Tech Talk with Synthesis
Confluent Partner Tech Talk with Synthesisconfluent
 
The Future of Application Development - API Days - Melbourne 2023
The Future of Application Development - API Days - Melbourne 2023The Future of Application Development - API Days - Melbourne 2023
The Future of Application Development - API Days - Melbourne 2023confluent
 
The Playful Bond Between REST And Data Streams
The Playful Bond Between REST And Data StreamsThe Playful Bond Between REST And Data Streams
The Playful Bond Between REST And Data Streamsconfluent
 

Mehr von confluent (20)

Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Santander Stream Processing with Apache Flink
Santander Stream Processing with Apache FlinkSantander Stream Processing with Apache Flink
Santander Stream Processing with Apache Flink
 
Unlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsUnlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insights
 
Workshop híbrido: Stream Processing con Flink
Workshop híbrido: Stream Processing con FlinkWorkshop híbrido: Stream Processing con Flink
Workshop híbrido: Stream Processing con Flink
 
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
Industry 4.0: Building the Unified Namespace with Confluent, HiveMQ and Spark...
 
AWS Immersion Day Mapfre - Confluent
AWS Immersion Day Mapfre - ConfluentAWS Immersion Day Mapfre - Confluent
AWS Immersion Day Mapfre - Confluent
 
Eventos y Microservicios - Santander TechTalk
Eventos y Microservicios - Santander TechTalkEventos y Microservicios - Santander TechTalk
Eventos y Microservicios - Santander TechTalk
 
Q&A with Confluent Experts: Navigating Networking in Confluent Cloud
Q&A with Confluent Experts: Navigating Networking in Confluent CloudQ&A with Confluent Experts: Navigating Networking in Confluent Cloud
Q&A with Confluent Experts: Navigating Networking in Confluent Cloud
 
Citi TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Dive
 
Build real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with ConfluentBuild real-time streaming data pipelines to AWS with Confluent
Build real-time streaming data pipelines to AWS with Confluent
 
Q&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service MeshQ&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service Mesh
 
Citi Tech Talk: Event Driven Kafka Microservices
Citi Tech Talk: Event Driven Kafka MicroservicesCiti Tech Talk: Event Driven Kafka Microservices
Citi Tech Talk: Event Driven Kafka Microservices
 
Confluent & GSI Webinars series - Session 3
Confluent & GSI Webinars series - Session 3Confluent & GSI Webinars series - Session 3
Confluent & GSI Webinars series - Session 3
 
Citi Tech Talk: Messaging Modernization
Citi Tech Talk: Messaging ModernizationCiti Tech Talk: Messaging Modernization
Citi Tech Talk: Messaging Modernization
 
Citi Tech Talk: Data Governance for streaming and real time data
Citi Tech Talk: Data Governance for streaming and real time dataCiti Tech Talk: Data Governance for streaming and real time data
Citi Tech Talk: Data Governance for streaming and real time data
 
Confluent & GSI Webinars series: Session 2
Confluent & GSI Webinars series: Session 2Confluent & GSI Webinars series: Session 2
Confluent & GSI Webinars series: Session 2
 
Data In Motion Paris 2023
Data In Motion Paris 2023Data In Motion Paris 2023
Data In Motion Paris 2023
 
Confluent Partner Tech Talk with Synthesis
Confluent Partner Tech Talk with SynthesisConfluent Partner Tech Talk with Synthesis
Confluent Partner Tech Talk with Synthesis
 
The Future of Application Development - API Days - Melbourne 2023
The Future of Application Development - API Days - Melbourne 2023The Future of Application Development - API Days - Melbourne 2023
The Future of Application Development - API Days - Melbourne 2023
 
The Playful Bond Between REST And Data Streams
The Playful Bond Between REST And Data StreamsThe Playful Bond Between REST And Data Streams
The Playful Bond Between REST And Data Streams
 

Kürzlich hochgeladen

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Kürzlich hochgeladen (20)

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Apache Kafka® Security Overview

  • 1. Apache Kafka Security Overview Sven Erik Knop, Senior Solutions Architect
  • 2. Who am I? • Sven Erik Knop • Senior Solutions Architect • Architect, Developer, Presenter • @sven_erik_knop 2
  • 4. Reminder: What is Apache Kafka? • Distributed, fault-tolerant and immutable log • Use cases • Publish-subscribe queue • ETL (Extract, Transform, Load) • Event streaming platform • Rich infrastructure through connectors and language APIs • Open Source, with enterprise support and enhancements through companies like Confluent 4
  • 5. 5 Apache Kafka before security (<0.9) ¡ Kafka is infrastructure hidden behind the firewall ¡ Servers within the network are implicitly trusted ¡ No governance required (or possible)
  • 6. New challenges Multi-tenancy Topics with sensitive or confidential data Regulatory requirements
  • 7. Security Features added in Kafka 0.9 Encryption Authentication Authorization Connection to ZooKeeper
  • 8. Encryption 8 Encryption in flight TLS = Transport Layer Encryption Encryption at rest OS or file system feature End-to-End encryption Needs to be built into the producers and consumers
  • 9. Encryption via TLS (Transport Layer Security) Prevents eavesdropping Prevents man- in-the-middle attacks Industry- standard encryption Broker certificate signed by either • External, well-known Certificate Authority (CA) – GlobalSign, Let’s Encrypt … • Internal CA, with clients using a truststore to verify its identity security.protocol=SSL (instead of the default PLAINTEXT) ssl.endpoint.identification.algorithm=https
  • 10. TLS Mutual Authentication If enabled, provides trust into client connections Principal is used for authorization Certificates signed by trusted authority (CA) Clients additionally use a keystore to provide their own identity
  • 11. SASL (Simple Authentication and Security Layer) 11 Framework for authentication and data security Decouples authentication mechanisms from the application protocols Common interface for different implementations
  • 12. SASL Implementations 12 Implementation Class Comments PLAIN org.apache.kafka.common.security.plain.PlainLoginModule Username/Password SCRAM org.apache.kafka.common.security.scram.ScramLoginModule SCRAM_SHA_(256|512) GSSAPI com.sun.security.auth.module.Krb5LoginModule Kerberos OAUTHBEARER org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule Token based used for RBAC security.protocol = SASL_PLAINTEXT | SASL_SSL sasl.mechanism = PLAIN | SCRAM_SHA_256 | SCRAM_SHA_512 | GSSAPI | OAUTHBEARER Configured in the brokers and the clients through a JAAS file
  • 13. JAAS 13 • Java Authentication and Authorization Service • For services (Kafka, ZooKeeper) grouped by section names • KafkaServer • KafkaClient • Server (for ZooKeeper Server) • Client (for ZooKeeper Client, e.g. Kafka) • Alternatively, specify as a property KafkaServer { org.apache.kafka.common.security.scram.ScramLoginModule required username="kafka" password="kafka"; }; Client { org.apache.zookeeper.server.auth.DigestLoginModule required username="admin" password=”admin-secret"; }; sasl.mechanism=SCRAM-SHA-256 security.protocol=SASL_PLAINTEXT sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="producer" password="producer-secret";
  • 14. sasl.mechanism=PLAIN • Username/Password • Broker • By default, holds a list of username/password in the SASL config file • Requires rolling restart when users are added or deleted • Can be overwritten, for example • listener.name.sasl_plaintext.plain.sasl.server.callback.handler.class= io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler • Client sasl.mechanism=PLAIN security.protocol=SASL_PLAINTEXT sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="alice" password="alice-secret" ;
  • 15. SCRAM • Salted Challenge Response Authentication Mechanism • Users and passwords are stored in ZooKeeper • Dynamic configuration through kafka-configs • Different encryption levels (SHA-256, SHA-512) • CAVEAT: Need to add any super user as an entity as well kafka-configs --zookeeper zookeeper:2182 --alter --add-config 'SCRAM-SHA-256=[password=xxxxx],SCRAM-SHA-512=[password=xxxxx]' --entity-type users --entity-name producer sasl.mechanism=SCRAM-SHA-256 security.protocol=SASL_PLAINTEXT sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="producer" password=”xxxxx";
  • 16. Kerberos • Network authentication protocol created by the MIT • sasl.enabled.mechanisms=GSSAPI • Generic Security Service Application Program Interface • External Key Distribution Center (KDC) • Service (Broker, ZooKeeper …) registers itself • sasl.kerberos.service.name must match principal • Default service names are ‘kafka’, ‘zookeeper’
  • 17. Kerberos client • Either: create a ticket with kinit (login) • Or: provide the keytab location and the principal name • List existing tickets with klist sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_client.keytab" principal="kafkaclient1@EXAMPLE.COM";
  • 18. Authorization via ACLS (Access Control Lists) Permission to access or modify resources like Topics Clusters Consumer Groups All, Literal and Prefix Allow and deny access Stored in ZooKeeper
  • 19. ACL for users 19 •kafka-acls •Can check in ZooKeeper directly ACLs are stored in ZooKeeper •Topic, Cluster, Group, TransactionId, DelegationToken •(Principal, PermissionType, Operation, Host) ACLs defined for •Confluent extension to use Group:<group-name> set in LDAP Principal for users is User:<user-name> Can use resource name ‘*’ for catch all •--resource-pattern-type prefixed (default is literal) To specify a subset of resources with the same prefix, use
  • 20. Securing ZooKeeper • Authentication • SASL • Digest • Kerberos • Authorization • Securing your nodes through Kafka • zookeeper.set.acl=true • Migrating from a non-secured node • zookeeper-security-migration
  • 21. Kafka Infrastructure Schema Registry Connect Control Center KSQL REST Proxy REST Clients
  • 22. Challenge • Clients directly connected to the brokers use SASL or mutual auth for authentication • Tools like KSQL or Connect are connected using a single user with that user’s permissions • ASK: Users of these tools need their own authentication and propagate their credentials Schema RegistryREST Client SR UserREST User REST User
  • 23. The Need for A Unified Approach • Requirements • Services connect to Kafka using TLS Mutual Auth or SASL • External access via REST needs to impersonate an internal user • Want • Single service to assign roles • Changes need to be traceable (ZooKeeper does not keep a log)
  • 24. RBAC – Role Based Access Control (Pre-defined) roles can be assigned to users or groups for a resource Stored in a Kafka topic accessed via a new Kafka interface, the MDS (Meta Data Service) Requires Confluent Server instead of Apache Kafka User authentication backed by LDAP Authorized users are given an OATHBEARER Token to identify themselves
  • 25. Roles 25 Administration roles (SystemAdmin, ClusterAdmin, UserAdmin, …) Operators ResourceOwners Developers
  • 26. Roles Assignment to User/Group CLI API CONTROL CENTER Group membership management via LDAP
  • 28. Schema Registry, Connect, KSQL, REST Proxy • Standard REST username/password security (from LDAP) • MDS Server provides OAUTHBEARER token • Credentials are propagated
  • 29. RBAC Key Benefits 29 Key Benefits Over Traditional ZK ACLs: • Efficiency with Scale • Confluent Platform-wide security • Authorization at scale - with predefined Roles and LDAP Groups as Principals • Manage multiple clusters from 1 central location • Increased Granular Policies • Connector level access control. • Granular access for Control Center users • On top of the Topic and SR Subjects • Improved Multi-Tenancy support • Items without access do not show • Delegation of Administration Responsibilities
  • 30. Requirements • Confluent Server >= CP 5.4 • LDAP (Usually Microsoft Active Directory) for • User authentication (usually Username/Password SIMPLE BIND) • Group membership for authorization • All services configured with • sasl.enabled.mechanism=OAUTHBEARER • sasl.login.callback.handler.class= io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler • metadata.bootstrap.server.urls=http://mds-server:8090 • Do not configure standard producers/consumer/streams with OAUTHBEARER • Unsupported • Would require access to MDS server 30
  • 31. Summary • Security is an important feature of a streaming platform • Encryption and ACLs provide security for clients directly accessing the Kafka brokers • RBAC adds a unified authentication and authorization interface for services around Kafka
  • 32. Further reading • https://docs.confluent.io/current/security/security_tutorial.html • https://docs.confluent.io/current/security/rbac/index.html 32