Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Plain View
Kafka >> mail # user >> Securing kafka


+
Calvin Lei 2013-08-29, 17:03
+
Benjamin Black 2013-08-29, 17:10
+
Jay Kreps 2013-08-30, 00:14
+
Joe Stein 2013-08-30, 03:16
+
Rajasekar Elango 2013-08-30, 03:23
+
Joe Stein 2013-08-30, 03:33
+
Rajasekar Elango 2013-08-30, 03:38
+
Maxime Brugidou 2013-08-30, 12:25
Copy link to this message
-
Re: Securing kafka
Yeah if nobody else does it first linkedin will definitely do kerberos/ssl
+ unix permissions at the topic level soonish. If folks already have a head
start on the auth piece we would love to have that contribution.
On Fri, Aug 30, 2013 at 5:25 AM, Maxime Brugidou
<[EMAIL PROTECTED]>wrote:

> We would love to see kerberos authentication + some unix-like permission
> system for topics (where one topic is a file and users/groups have read
> and/or write access).
>
> I guess this is not high-priority but it enables some sort of
> kafka-as-a-service possibility with multi tenancy. You could integrate a
> quota system later on...
> On Aug 30, 2013 5:38 AM, "Rajasekar Elango" <[EMAIL PROTECTED]>
> wrote:
>
> > No certificates are not per topic. It is for entire broker.
> >
> > Thanks,
> > Raja.
> >
> >
> > On Thu, Aug 29, 2013 at 11:33 PM, Joe Stein <[EMAIL PROTECTED]> wrote:
> >
> > > are the certificate stores by topic? very interesting!!! looking
> forward
> > to
> > > trying it out and review it
> > >
> > > /*******************************************
> > >  Joe Stein
> > >  Founder, Principal Consultant
> > >  Big Data Open Source Security LLC
> > >  http://www.stealth.ly
> > >  Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> > > ********************************************/
> > >
> > >
> > > On Thu, Aug 29, 2013 at 11:22 PM, Rajasekar Elango
> > > <[EMAIL PROTECTED]>wrote:
> > >
> > > > We have made changes to kafka code to support certificate based
> mutual
> > > SSL
> > > > authentication. So the clients and broker will exchange trusted
> > > > certificates for successful communication. This provides both
> > > > authentication and ssl encryption. Planning to contribute that code
> > back
> > > to
> > > > kafka soon.
> > > >
> > > > Thanks,
> > > > Raja.
> > > >
> > > >
> > > > On Thu, Aug 29, 2013 at 11:16 PM, Joe Stein <[EMAIL PROTECTED]>
> > wrote:
> > > >
> > > > > One use case I have been discussing recently with a few clients is
> > > > > verifying the digital signature of a message as part of the
> > acceptance
> > > > > criteria of it being committed to the log and/or when it is
> consumed.
> > > > >
> > > > > I would be very interested in discussing different scenarios such
> as
> > > > Kafka
> > > > > as a service, privacy at rest as well as authorization and
> > > authentication
> > > > > (if required).
> > > > >
> > > > > Hit me up
> > > > >
> > > > > /*******************************************
> > > > >  Joe Stein
> > > > >  Founder, Principal Consultant
> > > > >  Big Data Open Source Security LLC
> > > > >  http://www.stealth.ly
> > > > >  Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop
> >
> > > > > ********************************************/
> > > > >
> > > > >
> > > > > On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <[EMAIL PROTECTED]>
> > > wrote:
> > > > >
> > > > > > +1
> > > > > >
> > > > > > We don't have any application-level security at this time so the
> > > answer
> > > > > is
> > > > > > whatever you can do at the network/system level.
> > > > > >
> > > > > > -Jay
> > > > > >
> > > > > >
> > > > > > On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <[EMAIL PROTECTED]>
> wrote:
> > > > > >
> > > > > > > IP filters on the hosts.
> > > > > > > On Aug 29, 2013 10:03 AM, "Calvin Lei" <[EMAIL PROTECTED]>
> wrote:
> > > > > > >
> > > > > > > > Is there a way to stop a malicious user to connect directly
> to
> > a
> > > > > kafka
> > > > > > > > broker and send any messages? Could we have the brokers to
> > > accept a
> > > > > > > message
> > > > > > > > to a list of know IPs?
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Thanks,
> > > > Raja.
> > > >
> > >
> >
> >
> >
> > --
> > Thanks,
> > Raja.
> >
>

 
+
Jason Rosenberg 2013-09-02, 20:14
+
Calvin Lei 2013-08-30, 22:23
+
Scott Clasen 2013-08-31, 00:11
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB