You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Calvin Lei <ck...@gmail.com> on 2013/08/29 19:02:38 UTC
Securing kafka
Is there a way to stop a malicious user to connect directly to a kafka
broker and send any messages? Could we have the brokers to accept a message
to a list of know IPs?
Re: Securing kafka
Posted by Jason Rosenberg <jb...@squareup.com>.
I'm definitely interested in this too.
On Fri, Aug 30, 2013 at 6:03 PM, Jay Kreps <ja...@gmail.com> wrote:
> Yeah if nobody else does it first linkedin will definitely do kerberos/ssl
> + unix permissions at the topic level soonish. If folks already have a head
> start on the auth piece we would love to have that contribution.
>
>
> On Fri, Aug 30, 2013 at 5:25 AM, Maxime Brugidou
> <ma...@gmail.com>wrote:
>
> > We would love to see kerberos authentication + some unix-like permission
> > system for topics (where one topic is a file and users/groups have read
> > and/or write access).
> >
> > I guess this is not high-priority but it enables some sort of
> > kafka-as-a-service possibility with multi tenancy. You could integrate a
> > quota system later on...
> > On Aug 30, 2013 5:38 AM, "Rajasekar Elango" <re...@salesforce.com>
> > wrote:
> >
> > > No certificates are not per topic. It is for entire broker.
> > >
> > > Thanks,
> > > Raja.
> > >
> > >
> > > On Thu, Aug 29, 2013 at 11:33 PM, Joe Stein <cr...@gmail.com>
> wrote:
> > >
> > > > are the certificate stores by topic? very interesting!!! looking
> > forward
> > > to
> > > > trying it out and review it
> > > >
> > > > /*******************************************
> > > > Joe Stein
> > > > Founder, Principal Consultant
> > > > Big Data Open Source Security LLC
> > > > http://www.stealth.ly
> > > > Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> > > > ********************************************/
> > > >
> > > >
> > > > On Thu, Aug 29, 2013 at 11:22 PM, Rajasekar Elango
> > > > <re...@salesforce.com>wrote:
> > > >
> > > > > We have made changes to kafka code to support certificate based
> > mutual
> > > > SSL
> > > > > authentication. So the clients and broker will exchange trusted
> > > > > certificates for successful communication. This provides both
> > > > > authentication and ssl encryption. Planning to contribute that code
> > > back
> > > > to
> > > > > kafka soon.
> > > > >
> > > > > Thanks,
> > > > > Raja.
> > > > >
> > > > >
> > > > > On Thu, Aug 29, 2013 at 11:16 PM, Joe Stein <cr...@gmail.com>
> > > wrote:
> > > > >
> > > > > > One use case I have been discussing recently with a few clients
> is
> > > > > > verifying the digital signature of a message as part of the
> > > acceptance
> > > > > > criteria of it being committed to the log and/or when it is
> > consumed.
> > > > > >
> > > > > > I would be very interested in discussing different scenarios such
> > as
> > > > > Kafka
> > > > > > as a service, privacy at rest as well as authorization and
> > > > authentication
> > > > > > (if required).
> > > > > >
> > > > > > Hit me up
> > > > > >
> > > > > > /*******************************************
> > > > > > Joe Stein
> > > > > > Founder, Principal Consultant
> > > > > > Big Data Open Source Security LLC
> > > > > > http://www.stealth.ly
> > > > > > Twitter: @allthingshadoop <
> http://www.twitter.com/allthingshadoop
> > >
> > > > > > ********************************************/
> > > > > >
> > > > > >
> > > > > > On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <ja...@gmail.com>
> > > > wrote:
> > > > > >
> > > > > > > +1
> > > > > > >
> > > > > > > We don't have any application-level security at this time so
> the
> > > > answer
> > > > > > is
> > > > > > > whatever you can do at the network/system level.
> > > > > > >
> > > > > > > -Jay
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <b...@b3k.us>
> > wrote:
> > > > > > >
> > > > > > > > IP filters on the hosts.
> > > > > > > > On Aug 29, 2013 10:03 AM, "Calvin Lei" <ck...@gmail.com>
> > wrote:
> > > > > > > >
> > > > > > > > > Is there a way to stop a malicious user to connect directly
> > to
> > > a
> > > > > > kafka
> > > > > > > > > broker and send any messages? Could we have the brokers to
> > > > accept a
> > > > > > > > message
> > > > > > > > > to a list of know IPs?
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Thanks,
> > > > > Raja.
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Thanks,
> > > Raja.
> > >
> >
>
Re: Securing kafka
Posted by Jay Kreps <ja...@gmail.com>.
Yeah if nobody else does it first linkedin will definitely do kerberos/ssl
+ unix permissions at the topic level soonish. If folks already have a head
start on the auth piece we would love to have that contribution.
On Fri, Aug 30, 2013 at 5:25 AM, Maxime Brugidou
<ma...@gmail.com>wrote:
> We would love to see kerberos authentication + some unix-like permission
> system for topics (where one topic is a file and users/groups have read
> and/or write access).
>
> I guess this is not high-priority but it enables some sort of
> kafka-as-a-service possibility with multi tenancy. You could integrate a
> quota system later on...
> On Aug 30, 2013 5:38 AM, "Rajasekar Elango" <re...@salesforce.com>
> wrote:
>
> > No certificates are not per topic. It is for entire broker.
> >
> > Thanks,
> > Raja.
> >
> >
> > On Thu, Aug 29, 2013 at 11:33 PM, Joe Stein <cr...@gmail.com> wrote:
> >
> > > are the certificate stores by topic? very interesting!!! looking
> forward
> > to
> > > trying it out and review it
> > >
> > > /*******************************************
> > > Joe Stein
> > > Founder, Principal Consultant
> > > Big Data Open Source Security LLC
> > > http://www.stealth.ly
> > > Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> > > ********************************************/
> > >
> > >
> > > On Thu, Aug 29, 2013 at 11:22 PM, Rajasekar Elango
> > > <re...@salesforce.com>wrote:
> > >
> > > > We have made changes to kafka code to support certificate based
> mutual
> > > SSL
> > > > authentication. So the clients and broker will exchange trusted
> > > > certificates for successful communication. This provides both
> > > > authentication and ssl encryption. Planning to contribute that code
> > back
> > > to
> > > > kafka soon.
> > > >
> > > > Thanks,
> > > > Raja.
> > > >
> > > >
> > > > On Thu, Aug 29, 2013 at 11:16 PM, Joe Stein <cr...@gmail.com>
> > wrote:
> > > >
> > > > > One use case I have been discussing recently with a few clients is
> > > > > verifying the digital signature of a message as part of the
> > acceptance
> > > > > criteria of it being committed to the log and/or when it is
> consumed.
> > > > >
> > > > > I would be very interested in discussing different scenarios such
> as
> > > > Kafka
> > > > > as a service, privacy at rest as well as authorization and
> > > authentication
> > > > > (if required).
> > > > >
> > > > > Hit me up
> > > > >
> > > > > /*******************************************
> > > > > Joe Stein
> > > > > Founder, Principal Consultant
> > > > > Big Data Open Source Security LLC
> > > > > http://www.stealth.ly
> > > > > Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop
> >
> > > > > ********************************************/
> > > > >
> > > > >
> > > > > On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <ja...@gmail.com>
> > > wrote:
> > > > >
> > > > > > +1
> > > > > >
> > > > > > We don't have any application-level security at this time so the
> > > answer
> > > > > is
> > > > > > whatever you can do at the network/system level.
> > > > > >
> > > > > > -Jay
> > > > > >
> > > > > >
> > > > > > On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <b...@b3k.us>
> wrote:
> > > > > >
> > > > > > > IP filters on the hosts.
> > > > > > > On Aug 29, 2013 10:03 AM, "Calvin Lei" <ck...@gmail.com>
> wrote:
> > > > > > >
> > > > > > > > Is there a way to stop a malicious user to connect directly
> to
> > a
> > > > > kafka
> > > > > > > > broker and send any messages? Could we have the brokers to
> > > accept a
> > > > > > > message
> > > > > > > > to a list of know IPs?
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Thanks,
> > > > Raja.
> > > >
> > >
> >
> >
> >
> > --
> > Thanks,
> > Raja.
> >
>
Re: Securing kafka
Posted by Maxime Brugidou <ma...@gmail.com>.
We would love to see kerberos authentication + some unix-like permission
system for topics (where one topic is a file and users/groups have read
and/or write access).
I guess this is not high-priority but it enables some sort of
kafka-as-a-service possibility with multi tenancy. You could integrate a
quota system later on...
On Aug 30, 2013 5:38 AM, "Rajasekar Elango" <re...@salesforce.com> wrote:
> No certificates are not per topic. It is for entire broker.
>
> Thanks,
> Raja.
>
>
> On Thu, Aug 29, 2013 at 11:33 PM, Joe Stein <cr...@gmail.com> wrote:
>
> > are the certificate stores by topic? very interesting!!! looking forward
> to
> > trying it out and review it
> >
> > /*******************************************
> > Joe Stein
> > Founder, Principal Consultant
> > Big Data Open Source Security LLC
> > http://www.stealth.ly
> > Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> > ********************************************/
> >
> >
> > On Thu, Aug 29, 2013 at 11:22 PM, Rajasekar Elango
> > <re...@salesforce.com>wrote:
> >
> > > We have made changes to kafka code to support certificate based mutual
> > SSL
> > > authentication. So the clients and broker will exchange trusted
> > > certificates for successful communication. This provides both
> > > authentication and ssl encryption. Planning to contribute that code
> back
> > to
> > > kafka soon.
> > >
> > > Thanks,
> > > Raja.
> > >
> > >
> > > On Thu, Aug 29, 2013 at 11:16 PM, Joe Stein <cr...@gmail.com>
> wrote:
> > >
> > > > One use case I have been discussing recently with a few clients is
> > > > verifying the digital signature of a message as part of the
> acceptance
> > > > criteria of it being committed to the log and/or when it is consumed.
> > > >
> > > > I would be very interested in discussing different scenarios such as
> > > Kafka
> > > > as a service, privacy at rest as well as authorization and
> > authentication
> > > > (if required).
> > > >
> > > > Hit me up
> > > >
> > > > /*******************************************
> > > > Joe Stein
> > > > Founder, Principal Consultant
> > > > Big Data Open Source Security LLC
> > > > http://www.stealth.ly
> > > > Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> > > > ********************************************/
> > > >
> > > >
> > > > On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <ja...@gmail.com>
> > wrote:
> > > >
> > > > > +1
> > > > >
> > > > > We don't have any application-level security at this time so the
> > answer
> > > > is
> > > > > whatever you can do at the network/system level.
> > > > >
> > > > > -Jay
> > > > >
> > > > >
> > > > > On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <b...@b3k.us> wrote:
> > > > >
> > > > > > IP filters on the hosts.
> > > > > > On Aug 29, 2013 10:03 AM, "Calvin Lei" <ck...@gmail.com> wrote:
> > > > > >
> > > > > > > Is there a way to stop a malicious user to connect directly to
> a
> > > > kafka
> > > > > > > broker and send any messages? Could we have the brokers to
> > accept a
> > > > > > message
> > > > > > > to a list of know IPs?
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Thanks,
> > > Raja.
> > >
> >
>
>
>
> --
> Thanks,
> Raja.
>
Re: Securing kafka
Posted by Rajasekar Elango <re...@salesforce.com>.
No certificates are not per topic. It is for entire broker.
Thanks,
Raja.
On Thu, Aug 29, 2013 at 11:33 PM, Joe Stein <cr...@gmail.com> wrote:
> are the certificate stores by topic? very interesting!!! looking forward to
> trying it out and review it
>
> /*******************************************
> Joe Stein
> Founder, Principal Consultant
> Big Data Open Source Security LLC
> http://www.stealth.ly
> Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> ********************************************/
>
>
> On Thu, Aug 29, 2013 at 11:22 PM, Rajasekar Elango
> <re...@salesforce.com>wrote:
>
> > We have made changes to kafka code to support certificate based mutual
> SSL
> > authentication. So the clients and broker will exchange trusted
> > certificates for successful communication. This provides both
> > authentication and ssl encryption. Planning to contribute that code back
> to
> > kafka soon.
> >
> > Thanks,
> > Raja.
> >
> >
> > On Thu, Aug 29, 2013 at 11:16 PM, Joe Stein <cr...@gmail.com> wrote:
> >
> > > One use case I have been discussing recently with a few clients is
> > > verifying the digital signature of a message as part of the acceptance
> > > criteria of it being committed to the log and/or when it is consumed.
> > >
> > > I would be very interested in discussing different scenarios such as
> > Kafka
> > > as a service, privacy at rest as well as authorization and
> authentication
> > > (if required).
> > >
> > > Hit me up
> > >
> > > /*******************************************
> > > Joe Stein
> > > Founder, Principal Consultant
> > > Big Data Open Source Security LLC
> > > http://www.stealth.ly
> > > Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> > > ********************************************/
> > >
> > >
> > > On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <ja...@gmail.com>
> wrote:
> > >
> > > > +1
> > > >
> > > > We don't have any application-level security at this time so the
> answer
> > > is
> > > > whatever you can do at the network/system level.
> > > >
> > > > -Jay
> > > >
> > > >
> > > > On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <b...@b3k.us> wrote:
> > > >
> > > > > IP filters on the hosts.
> > > > > On Aug 29, 2013 10:03 AM, "Calvin Lei" <ck...@gmail.com> wrote:
> > > > >
> > > > > > Is there a way to stop a malicious user to connect directly to a
> > > kafka
> > > > > > broker and send any messages? Could we have the brokers to
> accept a
> > > > > message
> > > > > > to a list of know IPs?
> > > > > >
> > > > >
> > > >
> > >
> >
> >
> >
> > --
> > Thanks,
> > Raja.
> >
>
--
Thanks,
Raja.
Re: Securing kafka
Posted by Joe Stein <cr...@gmail.com>.
are the certificate stores by topic? very interesting!!! looking forward to
trying it out and review it
/*******************************************
Joe Stein
Founder, Principal Consultant
Big Data Open Source Security LLC
http://www.stealth.ly
Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
********************************************/
On Thu, Aug 29, 2013 at 11:22 PM, Rajasekar Elango
<re...@salesforce.com>wrote:
> We have made changes to kafka code to support certificate based mutual SSL
> authentication. So the clients and broker will exchange trusted
> certificates for successful communication. This provides both
> authentication and ssl encryption. Planning to contribute that code back to
> kafka soon.
>
> Thanks,
> Raja.
>
>
> On Thu, Aug 29, 2013 at 11:16 PM, Joe Stein <cr...@gmail.com> wrote:
>
> > One use case I have been discussing recently with a few clients is
> > verifying the digital signature of a message as part of the acceptance
> > criteria of it being committed to the log and/or when it is consumed.
> >
> > I would be very interested in discussing different scenarios such as
> Kafka
> > as a service, privacy at rest as well as authorization and authentication
> > (if required).
> >
> > Hit me up
> >
> > /*******************************************
> > Joe Stein
> > Founder, Principal Consultant
> > Big Data Open Source Security LLC
> > http://www.stealth.ly
> > Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> > ********************************************/
> >
> >
> > On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <ja...@gmail.com> wrote:
> >
> > > +1
> > >
> > > We don't have any application-level security at this time so the answer
> > is
> > > whatever you can do at the network/system level.
> > >
> > > -Jay
> > >
> > >
> > > On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <b...@b3k.us> wrote:
> > >
> > > > IP filters on the hosts.
> > > > On Aug 29, 2013 10:03 AM, "Calvin Lei" <ck...@gmail.com> wrote:
> > > >
> > > > > Is there a way to stop a malicious user to connect directly to a
> > kafka
> > > > > broker and send any messages? Could we have the brokers to accept a
> > > > message
> > > > > to a list of know IPs?
> > > > >
> > > >
> > >
> >
>
>
>
> --
> Thanks,
> Raja.
>
Re: Securing kafka
Posted by Calvin Lei <ck...@gmail.com>.
That's sounds very interesting. Looking forward to it!
On Aug 29, 2013 11:23 PM, "Rajasekar Elango" <re...@salesforce.com> wrote:
> We have made changes to kafka code to support certificate based mutual SSL
> authentication. So the clients and broker will exchange trusted
> certificates for successful communication. This provides both
> authentication and ssl encryption. Planning to contribute that code back to
> kafka soon.
>
> Thanks,
> Raja.
>
>
> On Thu, Aug 29, 2013 at 11:16 PM, Joe Stein <cr...@gmail.com> wrote:
>
> > One use case I have been discussing recently with a few clients is
> > verifying the digital signature of a message as part of the acceptance
> > criteria of it being committed to the log and/or when it is consumed.
> >
> > I would be very interested in discussing different scenarios such as
> Kafka
> > as a service, privacy at rest as well as authorization and authentication
> > (if required).
> >
> > Hit me up
> >
> > /*******************************************
> > Joe Stein
> > Founder, Principal Consultant
> > Big Data Open Source Security LLC
> > http://www.stealth.ly
> > Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> > ********************************************/
> >
> >
> > On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <ja...@gmail.com> wrote:
> >
> > > +1
> > >
> > > We don't have any application-level security at this time so the answer
> > is
> > > whatever you can do at the network/system level.
> > >
> > > -Jay
> > >
> > >
> > > On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <b...@b3k.us> wrote:
> > >
> > > > IP filters on the hosts.
> > > > On Aug 29, 2013 10:03 AM, "Calvin Lei" <ck...@gmail.com> wrote:
> > > >
> > > > > Is there a way to stop a malicious user to connect directly to a
> > kafka
> > > > > broker and send any messages? Could we have the brokers to accept a
> > > > message
> > > > > to a list of know IPs?
> > > > >
> > > >
> > >
> >
>
>
>
> --
> Thanks,
> Raja.
>
Re: Securing kafka
Posted by Scott Clasen <sc...@heroku.com>.
Please contribute that back!, Would potentially be huge for mirroring
clusters across Amazon Regions, for instance.
On Thu, Aug 29, 2013 at 8:22 PM, Rajasekar Elango <re...@salesforce.com>wrote:
> We have made changes to kafka code to support certificate based mutual SSL
> authentication. So the clients and broker will exchange trusted
> certificates for successful communication. This provides both
> authentication and ssl encryption. Planning to contribute that code back to
> kafka soon.
>
> Thanks,
> Raja.
>
>
> On Thu, Aug 29, 2013 at 11:16 PM, Joe Stein <cr...@gmail.com> wrote:
>
> > One use case I have been discussing recently with a few clients is
> > verifying the digital signature of a message as part of the acceptance
> > criteria of it being committed to the log and/or when it is consumed.
> >
> > I would be very interested in discussing different scenarios such as
> Kafka
> > as a service, privacy at rest as well as authorization and authentication
> > (if required).
> >
> > Hit me up
> >
> > /*******************************************
> > Joe Stein
> > Founder, Principal Consultant
> > Big Data Open Source Security LLC
> > http://www.stealth.ly
> > Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> > ********************************************/
> >
> >
> > On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <ja...@gmail.com> wrote:
> >
> > > +1
> > >
> > > We don't have any application-level security at this time so the answer
> > is
> > > whatever you can do at the network/system level.
> > >
> > > -Jay
> > >
> > >
> > > On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <b...@b3k.us> wrote:
> > >
> > > > IP filters on the hosts.
> > > > On Aug 29, 2013 10:03 AM, "Calvin Lei" <ck...@gmail.com> wrote:
> > > >
> > > > > Is there a way to stop a malicious user to connect directly to a
> > kafka
> > > > > broker and send any messages? Could we have the brokers to accept a
> > > > message
> > > > > to a list of know IPs?
> > > > >
> > > >
> > >
> >
>
>
>
> --
> Thanks,
> Raja.
>
Re: Securing kafka
Posted by Rajasekar Elango <re...@salesforce.com>.
We have made changes to kafka code to support certificate based mutual SSL
authentication. So the clients and broker will exchange trusted
certificates for successful communication. This provides both
authentication and ssl encryption. Planning to contribute that code back to
kafka soon.
Thanks,
Raja.
On Thu, Aug 29, 2013 at 11:16 PM, Joe Stein <cr...@gmail.com> wrote:
> One use case I have been discussing recently with a few clients is
> verifying the digital signature of a message as part of the acceptance
> criteria of it being committed to the log and/or when it is consumed.
>
> I would be very interested in discussing different scenarios such as Kafka
> as a service, privacy at rest as well as authorization and authentication
> (if required).
>
> Hit me up
>
> /*******************************************
> Joe Stein
> Founder, Principal Consultant
> Big Data Open Source Security LLC
> http://www.stealth.ly
> Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> ********************************************/
>
>
> On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <ja...@gmail.com> wrote:
>
> > +1
> >
> > We don't have any application-level security at this time so the answer
> is
> > whatever you can do at the network/system level.
> >
> > -Jay
> >
> >
> > On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <b...@b3k.us> wrote:
> >
> > > IP filters on the hosts.
> > > On Aug 29, 2013 10:03 AM, "Calvin Lei" <ck...@gmail.com> wrote:
> > >
> > > > Is there a way to stop a malicious user to connect directly to a
> kafka
> > > > broker and send any messages? Could we have the brokers to accept a
> > > message
> > > > to a list of know IPs?
> > > >
> > >
> >
>
--
Thanks,
Raja.
Re: Securing kafka
Posted by Joe Stein <cr...@gmail.com>.
One use case I have been discussing recently with a few clients is
verifying the digital signature of a message as part of the acceptance
criteria of it being committed to the log and/or when it is consumed.
I would be very interested in discussing different scenarios such as Kafka
as a service, privacy at rest as well as authorization and authentication
(if required).
Hit me up
/*******************************************
Joe Stein
Founder, Principal Consultant
Big Data Open Source Security LLC
http://www.stealth.ly
Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
********************************************/
On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <ja...@gmail.com> wrote:
> +1
>
> We don't have any application-level security at this time so the answer is
> whatever you can do at the network/system level.
>
> -Jay
>
>
> On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <b...@b3k.us> wrote:
>
> > IP filters on the hosts.
> > On Aug 29, 2013 10:03 AM, "Calvin Lei" <ck...@gmail.com> wrote:
> >
> > > Is there a way to stop a malicious user to connect directly to a kafka
> > > broker and send any messages? Could we have the brokers to accept a
> > message
> > > to a list of know IPs?
> > >
> >
>
Re: Securing kafka
Posted by Jay Kreps <ja...@gmail.com>.
+1
We don't have any application-level security at this time so the answer is
whatever you can do at the network/system level.
-Jay
On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <b...@b3k.us> wrote:
> IP filters on the hosts.
> On Aug 29, 2013 10:03 AM, "Calvin Lei" <ck...@gmail.com> wrote:
>
> > Is there a way to stop a malicious user to connect directly to a kafka
> > broker and send any messages? Could we have the brokers to accept a
> message
> > to a list of know IPs?
> >
>
RE: Securing kafka
Posted by "Sybrandy, Casey" <Ca...@Six3Systems.com>.
Another possible solution is to use stunnel to authenticate clients with a certificate. It's a bit harder to spoof a certificate than an IP address.
-----Original Message-----
From: Benjamin Black [mailto:b@b3k.us]
Sent: Thursday, August 29, 2013 1:10 PM
To: users@kafka.apache.org
Subject: Re: Securing kafka
IP filters on the hosts.
On Aug 29, 2013 10:03 AM, "Calvin Lei" <ck...@gmail.com> wrote:
> Is there a way to stop a malicious user to connect directly to a kafka
> broker and send any messages? Could we have the brokers to accept a
> message to a list of know IPs?
>
Re: Securing kafka
Posted by Benjamin Black <b...@b3k.us>.
IP filters on the hosts.
On Aug 29, 2013 10:03 AM, "Calvin Lei" <ck...@gmail.com> wrote:
> Is there a way to stop a malicious user to connect directly to a kafka
> broker and send any messages? Could we have the brokers to accept a message
> to a list of know IPs?
>