Kafkadevops~7 mins

Security best practices in Kafka - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Kafka is a system that moves messages between programs. Security best practices help keep these messages safe from hackers and mistakes.

When you want to make sure only trusted users can send or read messages.

When you need to protect sensitive data moving through Kafka from being seen by others.

When you want to stop outsiders from connecting to your Kafka servers.

When you want to keep track of who accessed or changed Kafka data.

When you want to make sure messages are not changed or lost during transfer.

Config File - server.properties

server.properties

listeners=SASL_SSL://:9093
advertised.listeners=SASL_SSL://localhost:9093
security.inter.broker.protocol=SASL_SSL
sasl.enabled.mechanisms=PLAIN
sasl.mechanism.inter.broker.protocol=PLAIN
ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks
ssl.truststore.password=changeit
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
allow.everyone.if.no.acl.found=false
super.users=User:admin

listeners: Defines how Kafka accepts connections securely using SASL_SSL.
advertised.listeners: How Kafka tells clients to connect.
security.inter.broker.protocol: Secures communication between Kafka servers.
sasl.enabled.mechanisms: Enables PLAIN authentication.
ssl.keystore.location/password: Location and password for server keys.
ssl.truststore.location/password: Location and password for trusted certificates.
authorizer.class.name: Enables access control lists (ACLs) for permissions.
allow.everyone.if.no.acl.found: Denies access if no ACL is set.
super.users: Defines admin users with full access.

Commands

This command adds permission for user 'alice' to read messages from 'my-topic'. It controls who can access the topic.

Terminal

kafka-acls --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:alice --operation Read --topic my-topic

Expected OutputExpected

Added ACLs.

→

--add - Adds a new ACL rule

→

--allow-principal - Specifies the user allowed

→

--operation - Defines the allowed action (Read)

→

--topic - Specifies the topic for the ACL

This command sets the password for user 'alice' to authenticate securely with Kafka.

Terminal

kafka-configs --zookeeper localhost:2181 --entity-type users --entity-name alice --alter --add-config 'sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="alice" password="alice-secret";'

Expected OutputExpected

Updated config for user alice.

→

--alter - Changes existing user config

→

--add-config - Adds SASL authentication details

This command checks the details of 'my-topic' to verify it exists and is accessible.

Terminal

kafka-topics --bootstrap-server localhost:9093 --describe --topic my-topic

Expected OutputExpected

Topic: my-topic PartitionCount: 1 ReplicationFactor: 1 Configs: Topic: my-topic Partition: 0 Leader: 1 Replicas: 1 Isr: 1

→

--describe - Shows topic details

→

--bootstrap-server - Connects to Kafka securely

Key Concept

If you remember nothing else from this pattern, remember: securing Kafka means controlling who connects, encrypting data, and setting clear permissions.

Common Mistakes

Not enabling SSL or SASL, leaving Kafka open without encryption or authentication.

This allows anyone to connect and read or write messages, risking data leaks or tampering.

Always enable SSL for encryption and SASL for authentication in Kafka configuration.

Setting allow.everyone.if.no.acl.found=true, which lets anyone access topics without ACLs.

This defeats the purpose of access control and can expose sensitive data.

Set allow.everyone.if.no.acl.found=false to deny access if no ACL is defined.

Using weak or default passwords for SASL users.

Weak passwords can be guessed, allowing attackers to impersonate users.

Use strong, unique passwords and rotate them regularly.

Summary

Configure Kafka to use SSL and SASL for encrypted and authenticated connections.

Use ACLs to control which users can read or write to specific topics.

Verify topic access and user permissions with Kafka CLI commands.