Kafka Security Layers
Kafka security has three layers: encryption (protect data in transit), authentication (verify who's connecting), and authorization (control who can do what). In production, you need all three.
| Layer | Mechanism | What It Does |
|---|---|---|
| Encryption | SSL/TLS | Encrypts data between clients and brokers, and between brokers |
| Authentication | SASL (PLAIN, SCRAM, GSSAPI, OAUTHBEARER) | Verifies identity of producers, consumers, and brokers |
| Authorization | ACLs (Access Control Lists) | Controls who can produce/consume/admin which topics |
SSL/TLS Encryption
# Generate broker keystore and truststore
keytool -keystore kafka.server.keystore.jks -alias localhost \
-validity 365 -genkey -keyalg RSA -storepass changeit
# broker config (server.properties)
listeners=SSL://broker1:9093
ssl.keystore.location=/var/kafka/ssl/kafka.server.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/var/kafka/ssl/kafka.server.truststore.jks
ssl.truststore.password=changeit
security.inter.broker.protocol=SSLACL Authorization
# Allow user "producer-app" to write to "orders" topic
kafka-acls.sh --bootstrap-server localhost:9092 \
--add --allow-principal User:producer-app \
--operation Write --topic orders
# Allow user "consumer-app" to read from "orders" topic with group "order-processors"
kafka-acls.sh --bootstrap-server localhost:9092 \
--add --allow-principal User:consumer-app \
--operation Read --topic orders \
--group order-processors
# List all ACLs
kafka-acls.sh --bootstrap-server localhost:9092 --listKey Takeaway: In production: enable TLS for encryption, SASL/SCRAM for authentication, and ACLs for topic-level authorization. Never run Kafka with no security in production — anyone on the network can read all your data.
Practice Exercises
Medium Build a Mini Project
Combine concepts from this tutorial to build a small utility or tool.
Medium Debug Challenge
Introduce a bug in one of the code examples and practice finding and fixing it.
Hard Refactoring Exercise
Rewrite one example using a different approach and compare the tradeoffs.