How to Secure Kafka: Best Practices and Configuration
To secure Kafka, enable
SSL/TLS encryption for data in transit, configure SASL for client authentication, and use ACLs for authorization control. These steps protect Kafka from unauthorized access and ensure data privacy.Syntax
Kafka security involves configuring these key settings in server.properties and client configs:
- SSL/TLS: Enable encryption with
ssl.keystore.location,ssl.truststore.location, and related properties. - SASL: Set
sasl.mechanismandsecurity.protocolfor authentication. - ACLs: Use Kafka's
kafka-acls.shtool to define access control lists.
properties
security.protocol=SASL_SSL
ssl.keystore.location=/path/to/kafka.server.keystore.jks
ssl.keystore.password=your_keystore_password
ssl.key.password=your_key_password
ssl.truststore.location=/path/to/kafka.server.truststore.jks
ssl.truststore.password=your_truststore_password
sasl.enabled.mechanisms=PLAIN
security.protocol=SASL_SSL
# ACL example command
bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Alice --operation Read --topic my-topicExample
This example shows how to enable SSL encryption and SASL/PLAIN authentication on Kafka broker and create an ACL to allow a user to read a topic.
bash
# server.properties snippet listeners=SASL_SSL://:9093 advertised.listeners=SASL_SSL://your.kafka.broker:9093 security.inter.broker.protocol=SASL_SSL sasl.mechanism.inter.broker.protocol=PLAIN ssl.keystore.location=/var/private/ssl/kafka.server.keystore.jks ssl.keystore.password=changeit ssl.key.password=changeit ssl.truststore.location=/var/private/ssl/kafka.server.truststore.jks ssl.truststore.password=changeit # Create ACL to allow user 'Alice' to read 'my-topic' ./bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Alice --operation Read --topic my-topic
Output
Added ACLs for resource `Topic:my-topic` with operation `Read` for principal `User:Alice`.
Common Pitfalls
- Not enabling encryption leads to data sent in plain text, risking interception.
- Misconfiguring SASL mechanisms causes authentication failures.
- Forgetting to set ACLs leaves topics open to unauthorized access.
- Using default or weak passwords for keystores and truststores reduces security.
properties
# Wrong: Missing security.protocol listeners=SSL://:9093 # Right: Include security.protocol listeners=SSL://:9093 security.protocol=SSL
Quick Reference
| Security Feature | Purpose | Key Configurations / Commands |
|---|---|---|
| SSL/TLS Encryption | Encrypt data in transit | ssl.keystore.location, ssl.truststore.location, security.protocol=SSL or SASL_SSL |
| SASL Authentication | Authenticate clients | sasl.enabled.mechanisms, security.protocol=SASL_SSL |
| ACL Authorization | Control access to topics | kafka-acls.sh --add --allow-principal User: |
| Keystore Passwords | Protect keys | Use strong passwords for keystore and truststore files |
Key Takeaways
Always enable SSL/TLS to encrypt Kafka network traffic.
Use SASL mechanisms like PLAIN or SCRAM for client authentication.
Define ACLs to restrict topic access to authorized users only.
Secure keystore and truststore files with strong passwords.
Test your security settings in a staging environment before production.