Ist meine Kafka-Umgebung sicher? – Security-Funktionalitäten in Confluent Platform (Suvad Sahovic, Confluent) Frankfurt Confluent Streaming Events 2019
1. 1C O N F I D E N T I A L
Ist meine Kafka Umgebung sicher? –
Security Funktionalitäten in Confluent Platform
Suvad Sahovic
suvad@confluent.io
2. 2C O N F I D E N T I A L
Security is top of mind for
Confluent Platform
Data Confidentiality
Over the wire with TLS
Secret Protection(5.3)
Data at rest encryption with
utilizing 3rd party tools
Authorization
ACL support in Kafka
Support for AD/LDAP Group
Prefixed ACL wildcards
RBAC Preview* ( 5.3)*
Authentication
Plaintext (none)
SASL (Kerberos, PLAIN, SCRAM)
TLS Client Certificate
Platform-wide AD/LDAP(5.3)*
Available now
4. 4C O N F I D E N T I A L
Challenges
Service Accounts
Kafka Developers
Kafka Admins
Kafka Topics
5. 5C O N F I D E N T I A L
C3
KSQL
REST
Proxy
SR
CONN.
Challenges
SAs
DEVs
Admins
Kafka Topics
6. 6C O N F I D E N T I A L
Challenges
SAs
DEVs
Admins
7. 7C O N F I D E N T I A L
Challenges
SAs
DEVs
Admins
8. 8C O N F I D E N T I A L 8
Managing
Role Binding
Role Binding
Users/groups
Roles
● Privileged users can
setup, view and manage
roles for others
● This includes both users
and groups
● User/Group information is
integrated with AD/LDAP
● In preview, the
management of roles is
done through the new CLI
Resource
scoping
5.3 Release
9. 9C O N F I D E N T I A L 9
RBAC Predefined roles
DeveloperReadSystemAdmin
UserAdminsuper.user
ClusterAdmin
ResourceOwnerOperator
SecurityAdmin
Available now
DeveloperWrite
DeveloperManage
12. 12C O N F I D E N T I A L
Challenges
● Lack of visibility into actions taken by users/applications
● Detect anomalies & identify bad actors
● Address compliance/InfoSec needs