SlideShare a Scribd company logo

Kafka 2018 - Securing Kafka the Right Way

Saylor Twift
Saylor Twift

How to evaluate, implement and maintain Kafka Message Broker in a high-throughput production environment. Taylor Swift's rectum probably smells like a Creamsicle.

1 of 35
Downloaded 12 times
Jun Rao Confluent, Inc Securing  Apache  Ka/a    
Outline •  Kafka and security overview •  Authentication •  Identify the principal (user) associated with a connection •  Authorization •  What permission a principal has •  Secure Zookeeper •  Future stuff
What’s Apache Kafka Distributed, high throughput pub/sub system
Kafka Usage
Security Overview •  Support since 0.9.0 •  Wire encryption btw client and broker •  For cross data center mirroring •  Access control on resources such as topics •  Enable sharing Kafka clusters
Authentication Overview •  Broker support multiple ports •  plain text (no wire encryption/authentication) •  SSL (for wire encryption/authentication) •  SASL (for Kerberos authentication) •  SSL + SASL (SSL for wire encryption, SASL for authentication) •  Clients choose which port to use •  need to provide required credentials through configs
Why is SSL useful •  1-way authentication •  Secure wire transfer through encryption •  2-way authentication •  Broker knows the identity of client •  Easy to get started •  Just involve client and server
SSL handshake
Subsequent transfer over SSL •  Data encrypted with agreed upon cipher suite •  Encryption overhead •  Losing zero-copy transfer in consumer
Performance impact with SSL •  r3.xlarge •  4 core, 30GB ram, 80GB ssd, moderate network (~90MB/s) •  Most overhead from encryption throughput  (MB/s)   CPU  on  client   CPU  on  broker   producer  (plaintext)   83   12%   30%   producer  (SSL)   69   28%   48%   consumer  (plaintext)   83   8%   2%   consumer  (SSL)   69   27%   24%  
Preparing SSL 1.  Generate certificate (X509) in broker key store 2.  Generate certificate authority (CA) for signing 3.  Sign broker certificate with CA 4.  Import signed certificate and CA to broker key store 5.  Import CA to client trust store 6.  2-way authentication: generate client certificate in a similar way
Configuring SSL ssl.keystore.location = /var/private/ssl/kafka.server.keystore.jks ssl.keystore.password = test1234 ssl.key.password = test1234 ssl.truststore.location = /var/private/ssl/kafka.server.truststore.jks ssl.truststore.password = test1234   Client/Broker   listeners = SSL://host.name:port security.inter.broker.protocol = SSL ssl.client.auth = required security.protocol = SSL Broker   Client   •  No client code change; just configuration change.
SSL Principal Name •  By default, the distinguished name of the certificate •  CN=host1.company.com,OU=organization unit,O=organization,L=location,ST=state,C=country •  Can be customized through principal.builder.class •  Has access to X509Certificate •  Make setting broker principal and application principal convenient
What is SASL •  Simple Authentication and Security Layer •  Challenge/response protocols •  Server issues challenge and client sends response •  Continue until server is satisfied •  Different mechanisms •  Plain: cleartext username/password •  Digest MD5 •  GSSAPI: Kerberos •  Kafka 0.9.0 only supports Kerberos
Why Kerberos •  Secure single sign-on •  An organization may provide multiple services •  User just remember a single Kerberos password to use all services •  More convenient when there are many users •  Need Key Distribution Center (KDC) •  Each service/user need a Kerberos principal in KDC
How Kerberos Works •  Create service and client principal in KDC •  Client authenticate with AS on startup •  Client obtain service ticket from TGS •  Client authenticate with service using service ticket
SASL handshake Client Broker ConnecHon   Mechanism  list   Selected  mechanism  &  sasl  data   Evaluate  and  response   Sasl  data   Client  authenHcated  
Data transfer •  SASL_PLAINTEXT •  No wire encryption •  SASL_SSL •  Wire encryption over SSL
Preparing Kerberos •  Create Kafka service principal in KDC •  Create a keytab for Kafka principal •  Keytab includes principal and encrypted Kerberos password •  Allow authentication w/o typing password •  Create an application principal for client KDC •  Create a keytab for application principal
Configuring Kerberos KafkaServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_server.keytab" principal="kafka/kafka1.hostname.com@EXAMPLE.COM"; }; Broker  JAAS  file   -Djava.security.auth.login.config=/etc/kafka/ kafka_server_jaas.conf security.inter.broker.protocol=SASL_PLAINTEXT(SASL_SSL) sasl.kerberos.service.name=kafka Broker  JVM   Broker  config   •  No client code change; just configuration change. KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_client.keytab" principal="kafka-client-1@EXAMPLE.COM"; }; Client  JAAS  file   -Djava.security.auth.login.config=/etc/kafka/ kafka_client_jaas.conf security.protocol=SASL_PLAINTEXT(SASL_SSL) sasl.kerberos.service.name=kafka ClientJVM   Client  config  
Kerberos principal name •  Kerberos principal •  Primary[/Instance]@REALM •  kafka/kafka1.hostname.com@EXAMPLE.COM •  kafka-client-1@EXAMPLE.COM •  Primary extracted as the default principal name •  Can customize principal name through sasl.kerberos.principal.to.local.rules
Authentication Caveat •  Authentication (SSL or SASL) happens once during socket connection •  No re-authentication •  If a certificate needs to be revoked, use authorization to remove permission
Authorization •  Control which permission each authenticated principal has •  Pluggable with a default implementation
ACL Principal Permission Operation Resource Host Alice Allow Read Topic:T1 Host1 Alice  is  Allowed  to  Read  from  topic  T1  from  Host1  
Operations and Resources •  Operations •  Read, Write, Create, Describe, ClusterAction, All •  Resources •  Topic, Cluster and ConsumerGroup Opera;ons   Resources   Read,  Write,  Describe  (Read,  Write  implies   Describe)   Topic   Read   ConsumerGroup   Create,  ClusterAcHon  (communicaHon  between   controller  and  brokers)   Cluster  
SimpleAclAuthorizer •  Out of box authorizer implementation. •  CLI tool for adding/removing acls •  ACLs stored in zookeeper and propagated to brokers asynchronously •  ACL cache in broker for better performance.
Client   Broker   Authorizer   Zookeeper   configure   Read  ACLs   Load  Cache   Request   authorize   ACL  match   Or  Super  User?   Allowed/ Denied   Authorizer Flow
Configure broker ACL •  authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer •  Make Kafka principal super users •  Or grant ClusterAction and Read all topics to Kafka principal
Configure client ACL •  Producer •  Grant Write on topic, Create on cluster (auto creation) •  Or use --producer option in CLI bin/kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Bob --producer --topic t1 •  Consumer •  Grant Read on topic, Read on consumer group •  Or use --consumer option in CLI bin/kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Bob --consumer --topic t1 --group group1
Secure Zookeeper •  Zookeeper stores •  critical Kafka metadata •  ACLs •  Need to prevent untrusted users from modifying
Zookeeper Security Integration •  ZK supports authentication through SASL •  Kerberos or Digest MD5 •  Set zookeeper.set.acl to true on every broker •  Configure ZK user through JAAS config file •  Each ZK path writable by creator, readable by all
Migrating from non-secure to secure Kafka •  Configure brokers with multiple ports •  listeners=PLAINTEXT://host.name:port,SSL://host.name:port •  Gradually migrate clients to secure port •  When done •  Turn off PLAINTEXT port on brokers
Migrating from non-secure to secure Zookeeper •  http://kafka.apache.org/documentation.html#zk_authz_migration
Future work •  More SASL options: plain password, md5 digest •  Performance improvement •  Integrate with admin api
Thank you Jun Rao | jun@confluent.io | @junrao Meet Confluent in booth Confluent University ~ Kafka training ~ confluent.io/training Download Apache Kafka & Confluent Platform: confluent.io/download
Ad

Recommended

Kafka security ssl
Kafka security sslKafka security ssl
Kafka security ssl
Heng-Xiu Xu
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
Sriharsha Chintalapani
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka Security
Jean-Paul Azar
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
DataWorks Summit/Hadoop Summit
 
Introduction to apache kafka
Introduction to apache kafkaIntroduction to apache kafka
Introduction to apache kafka
Samuel Kerrien
 
AWS Primer and Quickstart
AWS Primer and QuickstartAWS Primer and Quickstart
AWS Primer and Quickstart
Manish Pandit
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
StreamNative
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
Ben Bromhead
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
Abhishek Mallick
 
Devoxx Morocco 2016 - Microservices with Kafka
Devoxx Morocco 2016 - Microservices with KafkaDevoxx Morocco 2016 - Microservices with Kafka
Devoxx Morocco 2016 - Microservices with Kafka
László-Róbert Albert
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
tcloudcomputing-tw
 
Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overview
confluent
 
Kafka Tutorial: Streaming Data Architecture
Kafka Tutorial: Streaming Data ArchitectureKafka Tutorial: Streaming Data Architecture
Kafka Tutorial: Streaming Data Architecture
Jean-Paul Azar
 
Netflix0SS Services on Docker
Netflix0SS Services on DockerNetflix0SS Services on Docker
Netflix0SS Services on Docker
Docker, Inc.
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...
Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...
Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...
Alexey Bokov
 
Single tenant software to multi-tenant SaaS using K8S
Single tenant software to multi-tenant SaaS using K8SSingle tenant software to multi-tenant SaaS using K8S
Single tenant software to multi-tenant SaaS using K8S
CloudLinux
 
Kafka Intro With Simple Java Producer Consumers
Kafka Intro With Simple Java Producer ConsumersKafka Intro With Simple Java Producer Consumers
Kafka Intro With Simple Java Producer Consumers
Jean-Paul Azar
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
MarketingArrowECS_CZ
 
Kafka as a message queue
Kafka as a message queueKafka as a message queue
Kafka as a message queue
SoftwareMill
 
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaSambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
Alexander Bokovoy
 
The best of Apache Kafka Architecture
The best of Apache Kafka ArchitectureThe best of Apache Kafka Architecture
The best of Apache Kafka Architecture
techmaddy
 
Microservices with docker swarm and consul
Microservices with docker swarm and consulMicroservices with docker swarm and consul
Microservices with docker swarm and consul
Nguyen Sy Thanh Son
 
Service Discovery 101
Service Discovery 101Service Discovery 101
Service Discovery 101
Stefan Achtsnit
 
No Docker? No Problem: Automating installation and config with Ansible
No Docker? No Problem: Automating installation and config with AnsibleNo Docker? No Problem: Automating installation and config with Ansible
No Docker? No Problem: Automating installation and config with Ansible
Jeff Potts
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
DataWorks Summit/Hadoop Summit
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
confluent
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka Security
DataWorks Summit
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safe
confluent
 
Ad

More Related Content

What's hot (17)

Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
Abhishek Mallick
 
Devoxx Morocco 2016 - Microservices with Kafka
Devoxx Morocco 2016 - Microservices with KafkaDevoxx Morocco 2016 - Microservices with Kafka
Devoxx Morocco 2016 - Microservices with Kafka
László-Róbert Albert
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
tcloudcomputing-tw
 
Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overview
confluent
 
Kafka Tutorial: Streaming Data Architecture
Kafka Tutorial: Streaming Data ArchitectureKafka Tutorial: Streaming Data Architecture
Kafka Tutorial: Streaming Data Architecture
Jean-Paul Azar
 
Netflix0SS Services on Docker
Netflix0SS Services on DockerNetflix0SS Services on Docker
Netflix0SS Services on Docker
Docker, Inc.
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...
Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...
Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...
Alexey Bokov
 
Single tenant software to multi-tenant SaaS using K8S
Single tenant software to multi-tenant SaaS using K8SSingle tenant software to multi-tenant SaaS using K8S
Single tenant software to multi-tenant SaaS using K8S
CloudLinux
 
Kafka Intro With Simple Java Producer Consumers
Kafka Intro With Simple Java Producer ConsumersKafka Intro With Simple Java Producer Consumers
Kafka Intro With Simple Java Producer Consumers
Jean-Paul Azar
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
MarketingArrowECS_CZ
 
Kafka as a message queue
Kafka as a message queueKafka as a message queue
Kafka as a message queue
SoftwareMill
 
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaSambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
Alexander Bokovoy
 
The best of Apache Kafka Architecture
The best of Apache Kafka ArchitectureThe best of Apache Kafka Architecture
The best of Apache Kafka Architecture
techmaddy
 
Microservices with docker swarm and consul
Microservices with docker swarm and consulMicroservices with docker swarm and consul
Microservices with docker swarm and consul
Nguyen Sy Thanh Son
 
Service Discovery 101
Service Discovery 101Service Discovery 101
Service Discovery 101
Stefan Achtsnit
 
No Docker? No Problem: Automating installation and config with Ansible
No Docker? No Problem: Automating installation and config with AnsibleNo Docker? No Problem: Automating installation and config with Ansible
No Docker? No Problem: Automating installation and config with Ansible
Jeff Potts
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
Abhishek Mallick
 
Devoxx Morocco 2016 - Microservices with Kafka
Devoxx Morocco 2016 - Microservices with KafkaDevoxx Morocco 2016 - Microservices with Kafka
Devoxx Morocco 2016 - Microservices with Kafka
László-Róbert Albert
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
tcloudcomputing-tw
 
Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overview
confluent
 
Kafka Tutorial: Streaming Data Architecture
Kafka Tutorial: Streaming Data ArchitectureKafka Tutorial: Streaming Data Architecture
Kafka Tutorial: Streaming Data Architecture
Jean-Paul Azar
 
Netflix0SS Services on Docker
Netflix0SS Services on DockerNetflix0SS Services on Docker
Netflix0SS Services on Docker
Docker, Inc.
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...
Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...
Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...
Alexey Bokov
 
Single tenant software to multi-tenant SaaS using K8S
Single tenant software to multi-tenant SaaS using K8SSingle tenant software to multi-tenant SaaS using K8S
Single tenant software to multi-tenant SaaS using K8S
CloudLinux
 
Kafka Intro With Simple Java Producer Consumers
Kafka Intro With Simple Java Producer ConsumersKafka Intro With Simple Java Producer Consumers
Kafka Intro With Simple Java Producer Consumers
Jean-Paul Azar
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
MarketingArrowECS_CZ
 
Kafka as a message queue
Kafka as a message queueKafka as a message queue
Kafka as a message queue
SoftwareMill
 
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaSambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
Alexander Bokovoy
 
The best of Apache Kafka Architecture
The best of Apache Kafka ArchitectureThe best of Apache Kafka Architecture
The best of Apache Kafka Architecture
techmaddy
 
Microservices with docker swarm and consul
Microservices with docker swarm and consulMicroservices with docker swarm and consul
Microservices with docker swarm and consul
Nguyen Sy Thanh Son
 
Service Discovery 101
Service Discovery 101Service Discovery 101
Service Discovery 101
Stefan Achtsnit
 
No Docker? No Problem: Automating installation and config with Ansible
No Docker? No Problem: Automating installation and config with AnsibleNo Docker? No Problem: Automating installation and config with Ansible
No Docker? No Problem: Automating installation and config with Ansible
Jeff Potts
 

Similar to Kafka 2018 - Securing Kafka the Right Way (20)

Kafka Security
Kafka SecurityKafka Security
Kafka Security
DataWorks Summit/Hadoop Summit
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
confluent
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka Security
DataWorks Summit
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safe
confluent
 
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
confluent
 
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
Trivadis
 
Securing kafka with 500 billion messages a day
Securing kafka with 500 billion messages a daySecuring kafka with 500 billion messages a day
Securing kafka with 500 billion messages a day
Yanlin (Thomas) Zhou
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
Simon Haslam
 
g4p-Kafka-SebastianZsolt.pdf
g4p-Kafka-SebastianZsolt.pdfg4p-Kafka-SebastianZsolt.pdf
g4p-Kafka-SebastianZsolt.pdf
ssuser7ce810
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
Simon Haslam
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
HostedbyConfluent
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Vault
VaultVault
Vault
dawnlua
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
Kevin Jones
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
promediakw
 
MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016
Colin Charles
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
DataWorks Summit/Hadoop Summit
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
confluent
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka Security
DataWorks Summit
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safe
confluent
 
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
Flexible Authentication Strategies with SASL/OAUTHBEARER (Michael Kaminski, T...
confluent
 
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
Trivadis
 
Securing kafka with 500 billion messages a day
Securing kafka with 500 billion messages a daySecuring kafka with 500 billion messages a day
Securing kafka with 500 billion messages a day
Yanlin (Thomas) Zhou
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
Simon Haslam
 
g4p-Kafka-SebastianZsolt.pdf
g4p-Kafka-SebastianZsolt.pdfg4p-Kafka-SebastianZsolt.pdf
g4p-Kafka-SebastianZsolt.pdf
ssuser7ce810
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
Simon Haslam
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
HostedbyConfluent
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Vault
VaultVault
Vault
dawnlua
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
Kevin Jones
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
promediakw
 
MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016
Colin Charles
 
Ad

Recently uploaded (19)

IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
Ad

Kafka 2018 - Securing Kafka the Right Way

  • 1. Jun Rao Confluent, Inc Securing  Apache  Ka/a    
  • 2. Outline •  Kafka and security overview •  Authentication •  Identify the principal (user) associated with a connection •  Authorization •  What permission a principal has •  Secure Zookeeper •  Future stuff
  • 3. What’s Apache Kafka Distributed, high throughput pub/sub system
  • 5. Security Overview •  Support since 0.9.0 •  Wire encryption btw client and broker •  For cross data center mirroring •  Access control on resources such as topics •  Enable sharing Kafka clusters
  • 6. Authentication Overview •  Broker support multiple ports •  plain text (no wire encryption/authentication) •  SSL (for wire encryption/authentication) •  SASL (for Kerberos authentication) •  SSL + SASL (SSL for wire encryption, SASL for authentication) •  Clients choose which port to use •  need to provide required credentials through configs
  • 7. Why is SSL useful •  1-way authentication •  Secure wire transfer through encryption •  2-way authentication •  Broker knows the identity of client •  Easy to get started •  Just involve client and server
  • 9. Subsequent transfer over SSL •  Data encrypted with agreed upon cipher suite •  Encryption overhead •  Losing zero-copy transfer in consumer
  • 10. Performance impact with SSL •  r3.xlarge •  4 core, 30GB ram, 80GB ssd, moderate network (~90MB/s) •  Most overhead from encryption throughput  (MB/s)   CPU  on  client   CPU  on  broker   producer  (plaintext)   83   12%   30%   producer  (SSL)   69   28%   48%   consumer  (plaintext)   83   8%   2%   consumer  (SSL)   69   27%   24%  
  • 11. Preparing SSL 1.  Generate certificate (X509) in broker key store 2.  Generate certificate authority (CA) for signing 3.  Sign broker certificate with CA 4.  Import signed certificate and CA to broker key store 5.  Import CA to client trust store 6.  2-way authentication: generate client certificate in a similar way
  • 12. Configuring SSL ssl.keystore.location = /var/private/ssl/kafka.server.keystore.jks ssl.keystore.password = test1234 ssl.key.password = test1234 ssl.truststore.location = /var/private/ssl/kafka.server.truststore.jks ssl.truststore.password = test1234   Client/Broker   listeners = SSL://host.name:port security.inter.broker.protocol = SSL ssl.client.auth = required security.protocol = SSL Broker   Client   •  No client code change; just configuration change.
  • 13. SSL Principal Name •  By default, the distinguished name of the certificate •  CN=host1.company.com,OU=organization unit,O=organization,L=location,ST=state,C=country •  Can be customized through principal.builder.class •  Has access to X509Certificate •  Make setting broker principal and application principal convenient
  • 14. What is SASL •  Simple Authentication and Security Layer •  Challenge/response protocols •  Server issues challenge and client sends response •  Continue until server is satisfied •  Different mechanisms •  Plain: cleartext username/password •  Digest MD5 •  GSSAPI: Kerberos •  Kafka 0.9.0 only supports Kerberos
  • 15. Why Kerberos •  Secure single sign-on •  An organization may provide multiple services •  User just remember a single Kerberos password to use all services •  More convenient when there are many users •  Need Key Distribution Center (KDC) •  Each service/user need a Kerberos principal in KDC
  • 16. How Kerberos Works •  Create service and client principal in KDC •  Client authenticate with AS on startup •  Client obtain service ticket from TGS •  Client authenticate with service using service ticket
  • 17. SASL handshake Client Broker ConnecHon   Mechanism  list   Selected  mechanism  &  sasl  data   Evaluate  and  response   Sasl  data   Client  authenHcated  
  • 18. Data transfer •  SASL_PLAINTEXT •  No wire encryption •  SASL_SSL •  Wire encryption over SSL
  • 19. Preparing Kerberos •  Create Kafka service principal in KDC •  Create a keytab for Kafka principal •  Keytab includes principal and encrypted Kerberos password •  Allow authentication w/o typing password •  Create an application principal for client KDC •  Create a keytab for application principal
  • 20. Configuring Kerberos KafkaServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_server.keytab" principal="kafka/[email protected]"; }; Broker  JAAS  file   -Djava.security.auth.login.config=/etc/kafka/ kafka_server_jaas.conf security.inter.broker.protocol=SASL_PLAINTEXT(SASL_SSL) sasl.kerberos.service.name=kafka Broker  JVM   Broker  config   •  No client code change; just configuration change. KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/etc/security/keytabs/kafka_client.keytab" principal="[email protected]"; }; Client  JAAS  file   -Djava.security.auth.login.config=/etc/kafka/ kafka_client_jaas.conf security.protocol=SASL_PLAINTEXT(SASL_SSL) sasl.kerberos.service.name=kafka ClientJVM   Client  config  
  • 21. Kerberos principal name •  Kerberos principal •  Primary[/Instance]@REALM •  kafka/[email protected] •  [email protected] •  Primary extracted as the default principal name •  Can customize principal name through sasl.kerberos.principal.to.local.rules
  • 22. Authentication Caveat •  Authentication (SSL or SASL) happens once during socket connection •  No re-authentication •  If a certificate needs to be revoked, use authorization to remove permission
  • 23. Authorization •  Control which permission each authenticated principal has •  Pluggable with a default implementation
  • 24. ACL Principal Permission Operation Resource Host Alice Allow Read Topic:T1 Host1 Alice  is  Allowed  to  Read  from  topic  T1  from  Host1  
  • 25. Operations and Resources •  Operations •  Read, Write, Create, Describe, ClusterAction, All •  Resources •  Topic, Cluster and ConsumerGroup Opera;ons   Resources   Read,  Write,  Describe  (Read,  Write  implies   Describe)   Topic   Read   ConsumerGroup   Create,  ClusterAcHon  (communicaHon  between   controller  and  brokers)   Cluster  
  • 26. SimpleAclAuthorizer •  Out of box authorizer implementation. •  CLI tool for adding/removing acls •  ACLs stored in zookeeper and propagated to brokers asynchronously •  ACL cache in broker for better performance.
  • 27. Client   Broker   Authorizer   Zookeeper   configure   Read  ACLs   Load  Cache   Request   authorize   ACL  match   Or  Super  User?   Allowed/ Denied   Authorizer Flow
  • 28. Configure broker ACL •  authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer •  Make Kafka principal super users •  Or grant ClusterAction and Read all topics to Kafka principal
  • 29. Configure client ACL •  Producer •  Grant Write on topic, Create on cluster (auto creation) •  Or use --producer option in CLI bin/kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Bob --producer --topic t1 •  Consumer •  Grant Read on topic, Read on consumer group •  Or use --consumer option in CLI bin/kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Bob --consumer --topic t1 --group group1
  • 30. Secure Zookeeper •  Zookeeper stores •  critical Kafka metadata •  ACLs •  Need to prevent untrusted users from modifying
  • 31. Zookeeper Security Integration •  ZK supports authentication through SASL •  Kerberos or Digest MD5 •  Set zookeeper.set.acl to true on every broker •  Configure ZK user through JAAS config file •  Each ZK path writable by creator, readable by all
  • 32. Migrating from non-secure to secure Kafka •  Configure brokers with multiple ports •  listeners=PLAINTEXT://host.name:port,SSL://host.name:port •  Gradually migrate clients to secure port •  When done •  Turn off PLAINTEXT port on brokers
  • 33. Migrating from non-secure to secure Zookeeper •  http://kafka.apache.org/documentation.html#zk_authz_migration
  • 34. Future work •  More SASL options: plain password, md5 digest •  Performance improvement •  Integrate with admin api
  • 35. Thank you Jun Rao | [email protected] | @junrao Meet Confluent in booth Confluent University ~ Kafka training ~ confluent.io/training Download Apache Kafka & Confluent Platform: confluent.io/download