Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
Kafka >> mail # user >> Securing kafka


+
Calvin Lei 2013-08-29, 17:03
+
Benjamin Black 2013-08-29, 17:10
+
Jay Kreps 2013-08-30, 00:14
+
Joe Stein 2013-08-30, 03:16
+
Rajasekar Elango 2013-08-30, 03:23
+
Joe Stein 2013-08-30, 03:33
+
Rajasekar Elango 2013-08-30, 03:38
Copy link to this message
-
Re: Securing kafka
We would love to see kerberos authentication + some unix-like permission
system for topics (where one topic is a file and users/groups have read
and/or write access).

I guess this is not high-priority but it enables some sort of
kafka-as-a-service possibility with multi tenancy. You could integrate a
quota system later on...
On Aug 30, 2013 5:38 AM, "Rajasekar Elango" <[EMAIL PROTECTED]> wrote:

> No certificates are not per topic. It is for entire broker.
>
> Thanks,
> Raja.
>
>
> On Thu, Aug 29, 2013 at 11:33 PM, Joe Stein <[EMAIL PROTECTED]> wrote:
>
> > are the certificate stores by topic? very interesting!!! looking forward
> to
> > trying it out and review it
> >
> > /*******************************************
> >  Joe Stein
> >  Founder, Principal Consultant
> >  Big Data Open Source Security LLC
> >  http://www.stealth.ly
> >  Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> > ********************************************/
> >
> >
> > On Thu, Aug 29, 2013 at 11:22 PM, Rajasekar Elango
> > <[EMAIL PROTECTED]>wrote:
> >
> > > We have made changes to kafka code to support certificate based mutual
> > SSL
> > > authentication. So the clients and broker will exchange trusted
> > > certificates for successful communication. This provides both
> > > authentication and ssl encryption. Planning to contribute that code
> back
> > to
> > > kafka soon.
> > >
> > > Thanks,
> > > Raja.
> > >
> > >
> > > On Thu, Aug 29, 2013 at 11:16 PM, Joe Stein <[EMAIL PROTECTED]>
> wrote:
> > >
> > > > One use case I have been discussing recently with a few clients is
> > > > verifying the digital signature of a message as part of the
> acceptance
> > > > criteria of it being committed to the log and/or when it is consumed.
> > > >
> > > > I would be very interested in discussing different scenarios such as
> > > Kafka
> > > > as a service, privacy at rest as well as authorization and
> > authentication
> > > > (if required).
> > > >
> > > > Hit me up
> > > >
> > > > /*******************************************
> > > >  Joe Stein
> > > >  Founder, Principal Consultant
> > > >  Big Data Open Source Security LLC
> > > >  http://www.stealth.ly
> > > >  Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> > > > ********************************************/
> > > >
> > > >
> > > > On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <[EMAIL PROTECTED]>
> > wrote:
> > > >
> > > > > +1
> > > > >
> > > > > We don't have any application-level security at this time so the
> > answer
> > > > is
> > > > > whatever you can do at the network/system level.
> > > > >
> > > > > -Jay
> > > > >
> > > > >
> > > > > On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <[EMAIL PROTECTED]> wrote:
> > > > >
> > > > > > IP filters on the hosts.
> > > > > > On Aug 29, 2013 10:03 AM, "Calvin Lei" <[EMAIL PROTECTED]> wrote:
> > > > > >
> > > > > > > Is there a way to stop a malicious user to connect directly to
> a
> > > > kafka
> > > > > > > broker and send any messages? Could we have the brokers to
> > accept a
> > > > > > message
> > > > > > > to a list of know IPs?
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Thanks,
> > > Raja.
> > >
> >
>
>
>
> --
> Thanks,
> Raja.
>

 
+
Jay Kreps 2013-08-31, 01:04
+
Jason Rosenberg 2013-09-02, 20:14
+
Calvin Lei 2013-08-30, 22:23
+
Scott Clasen 2013-08-31, 00:11