SlideShare una empresa de Scribd logo
1 de 39
Kafka Security 101
& Real World Tips
Stephane Maarek - DataCumulus
My Kafka Security Journey
Stephane, implement
Kafka Security!
Who am I?
• I’m Stephane!
• Consultant & Solution Architect at DataCumulus
• Apache Kafka SeriesVideo Courses on Udemy
• Full productions deployments (with security)
• You can find me on
• GitHub: https://github.com/simplesteph
• LinkedIn: https://www.linkedin.com/in/stephanemaarek
• Medium: https://medium.com/@stephane.maarek
• Twitter: https://twitter.com/stephanemaarek
• Udemy: https://udemy.com/stephane-maarek
Who has not secured Kafka?
Kafka without Security is RISKY
5 disastrous scenarios
1. Read all your data
2. Write to any topic and break your consumers
3. Intercept and read plaintext network packets
4. Delete all your Kafka data in one command without SSH
5. Kafka Connect? Database Credentials are in a Kafka Topic, plaintext
You need Kafka Security
If you intend to make Kafka a cornerstone of your infrastructure
What’s Kafka Security?
Disclaimer: the source of truth is always the documentation
Kafka Security in three words
Encryption
Authentication
Authorization
Encryption in Kafka
• SSL encryption = secure communications
• Similar to HTTPS
Super secret
message
Kafka Client
(producer / consumer )
Kafka Brokers
Port 9093 - SSL
aGVsbG8gd29
ybGQgZWh…
Encrypted data
Kafka Client
(producer / consumer )
Kafka Brokers
Port 9092 - PLAINTEXT
SSL, Concretely?
• Create a Certificate Authority (CA)
• Generate certificates for your brokers, sign them
• Make sure your broker and clients trust the CA Root.
ssl.keystore.location=/home/ubuntu/ssl/kafka.server.keystore.jks
ssl.keystore.password=serversecret
ssl.key.password=serversecret
ssl.truststore.location=/home/ubuntu/ssl/kafka.server.truststore.jks
ssl.truststore.password=serversecret
SSL in the Real World
• SSL lowers the performance of your brokers
• You lose the zero-copy optimization
• Kafka heap usage increases
• CPU usage increases
• SSL only allows to encrypt data in flight
• Data at rest sits un-encrypted on Kafka Disk
What about end-to-end encryption?
• Closed source: Apple
• Open source:
• https://github.com/Quicksign/kafka-encryption
• https://github.com/nucypher/kafka-oss
• POC in progress at DataCumulus
Producer
Kafka
PLAINTEXT
Consumer
Encrypted
data
Encrypted
data
encrypt data decrypt data
Check Point
Encryption
Authentication
Authorization
Authentication in Kafka
• Clients need to have and prove their identity
• ~= Login (username / password or token)
Kafka Client Kafka Broker
Authentication data
Verify authentication
Client is authenticated
99 Forms Of Authentication
But Easy Ain’t One
• SSL Authentication: two way client authentication
• SASL (Simple Authentication and Security Layer):
• SASL/GSSAPI (Kerberos) – v0.9.0.0+ - Enterprises (Microsoft AD)
• SASL/PLAIN – v0.10.0.0+ - Passwords hardcoded in broker
• SASL/SCRAM-SHA-256/512 – v0.10.2.0+ - Passwords in Zookeeper (secure it)
• SASL/OAUTHBEARER – v2.0+ - Leverage OAuth 2
• Write your own (contribute back!)
• Extend SASL/PLAIN and SASL/SCRAM with KIP-86 (change credentials store)
• Real world advice:
choose the authentication mechanism you already have in your enterprise
Take-aways from the battlefield
• SSL authentication makes it really hard to revoke authentication
• SASL (Simple Authentication and Security Layer) is not simple (YMMV)
• Kerberos is by far the hardest to setup right. Errors are cryptic
• This is the most challenging part of the Kafka security journey
Authentication in Kerberos, concretely?
1. Create Kerberos or use Active Directory
2. Ensure Kafka servers have correct CNAME & hostname
3. Generate credentials for the brokers
4. Generate KeyTabs for the brokers from the credentials
5. Create a JAAS file:
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab="/tmp/kafka.service.keytab"
principal="kafka/<<KAFKA-SERVER-INTERNAL-DNS>>@KAFKA.SECURE";
};
Authentication in Kerberos, concretely?
Continued…
• Start Kafka and use java options to reference JAAS file
• Add properties to Kafka:
• Start Kafka
• Pray !
advertised.listeners=SASL_SSL://<<KAFKA-SERVER-DNS>>:9094
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafka
Real-World Tips: Authentication
• Turn on DEBUG log during setup!
• Go slow
• Ensure CNAME and PTR records are correct
• Scrape and repeat can sometimes solve issues
• Automate
Almost there…
Encryption
Authentication
Authorization
Authorisation in Kafka
• Kafka knows our client’s identity
• + Authorization rules:
• ”User alice can read topic finance”
• ”User bob cannot write topic trucks”
• = Security
• ACL (Access Control Lists) have to be maintained by administrators
ACLs, where are they?
• Default:ACLs are stored in Zookeeper
• Must secure Zookeeper (network rules or authentication)
• OR write your own authorizer (AD, LDAP, a database, Kafka…)
Managing ACLs
Producers
• Adding Permissions:
• Shortcuts for producer:
~/kafka/bin/kafka-acls.sh 
--authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 
--add --allow-principal User:myproducer --operation Write --topic mytopic
~/kafka/bin/kafka-acls.sh 
--authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 
--add --allow-principal User:myproducer --producer --topic mytopic
Managing ACLs
Consumers
• Adding Permissions:
• Shortcut for consumers:
~/kafka/bin/kafka-acls.sh 
--authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 
--add --allow-principal User:myconsumer --operation Read --topic mytopic
~/kafka/bin/kafka-acls.sh 
--authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 
--add --allow-principal User:writer --consumer --topic mytopic -–group mygroup
~/kafka/bin/kafka-acls.sh 
--authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 
--add --allow-principal User:myconsumer --operation Write --group mygroup
Managing ACLs at Scale?
• Look into Kafka Security Manager
(https://github.com/simplesteph/kafka-security-manager )
Real World Tips on ACLs
• Authorisation denials will be logged as INFO in the Kafka log.
• Define your broker as super users
• Careful with: allow.everyone.if.no.acl.found=true
• ACLs can be applied to:
• Topics: Create, Read, Describe,Write, etc…
• Groups: Read,Write, Describe
• Cluster: DescribeConfigs,AlterConfigs, Create
• Wildcards are supported in Kafka 2.0! (useful for Kafka Streams)
Cluster Security
Broker
Broker
Broker ZookeeperSASL_SSL
SASL
Clients
SASL_SSL
Kafka Cluster Zookeeper Cluster
Kafka Server is Secured ! Done?
Encryption
Authentication
Authorization
Security Journey
Continued…
Stephane, secure
Kafka Clients!
Broker
Security
Client Security
YOU
Kafka Client Security
is the real challenge
• Technical Challenge:
• Java Clients: easy
• Non Java Clients: please use a client that wraps librdkafka
• People Challenge:
• Kafka Administrator: I’m a security guru! But I don’t want to secure all the apps
• Kafka Developer: wt* is security?
Client Security in Java
security.protocol=SASL_SSL
sasl.kerberos.service.name=kafka
ssl.truststore.location=/home/kafka/ssl/kafka.client.truststore.jks
ssl.truststore.password=clientpass
sasl.jaas.config='com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/etc/security/keytabs/client.service.keytab"
principal="clientusername";'
• It’s not fun
• It’s not easy
• It’s error prone
Kafka Clients are not tailored to your
security needs
• Observation 1: Default Kafka clients have every options for security
• Observation 2: Your enterprise will only have one security setup
• Observation 3: Every client security configuration will look the same
• Take-away: don’t use the default Kafka clients
Real World Advice #1
Distribute your own wrapped Kafka Clients
• Developers love nice APIs:
• Standardized applications
• No copy and paste errors
• Centralized debugging
• Reduced learning curve for devs
new MyCorpKafkaProducer(bootstrapServers, keySerializer, valueSerializer)
.withSSL(sslEnabled, pathToTrustStore)
.withAuth(authEnabled, pathToKeyTab, usernameOrPrincipal)
.withSchemaRegistry(url)
.withExtraProperties(properties)
.build()
Real World Advice #2
Create a Kafka Client Base Docker Image
Security at scale goes hands in hands with consistency.
• Embed modified Java Truststore
• Standard Retrieval of SSL certificates
• Standard Retrieval of Credentials fromVault / Secure Store
• Kafka environment switches, Security switches
• Bootstrap Server Discovery & Schema Registry Discovery
• Extend to Kafka Connect & Schema Registry
Real World Advice #3
Make a checklist before going to prod
• What’s the application username?
• Are all ACLs listed and created?
• Is the application using the MyCorp Kafka clients?
• Is the application running in the standardized Docker Container?
• Are quotas defined for this application?
• Is the application monitored?
• …Check? Release!
Next steps
Where to take your learning from here!
Okay, I want to implement security!
What’s next?
• Read the docs:
• Kafka Documentation: https://kafka.apache.org/documentation/#security
• Confluent Documentation: https://docs.confluent.io/current/security.html
• Read some blogs:
• https://medium.com/@stephane.maarek/introduction-to-apache-kafka-security-
c8951d410adf
• https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-
encryption/
• Video Course:
• ConfluentYoutube: https://www.youtube.com/watch?v=MsQo-yoVleU&t=21s
• Udemy: https://www.udemy.com/apache-kafka-security (coupon KAFKASUMMIT18)
Thank you!
Any questions?

Más contenido relacionado

La actualidad más candente

Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019Taswar Bhatti
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019Taswar Bhatti
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesAn Nguyen
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultTom Kerkhove
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015em_mu
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting StartedTaswar Bhatti
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultOlinData
 

La actualidad más candente (19)

Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019Cloud patterns forwardjs April Ottawa 2019
Cloud patterns forwardjs April Ottawa 2019
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
Nodejsvault austin2019
Nodejsvault austin2019Nodejsvault austin2019
Nodejsvault austin2019
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
 
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 

Similar a Paris FOD meetup - kafka security 101

Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WaySaylor Twift
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka SecurityDataWorks Summit
 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing CassandraInstaclustr
 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing CassandraDataStax Academy
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Tom Kerkhove
 
MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016Colin Charles
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira
 
Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Colin Charles
 
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTrivadis
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
Meet MariaDB Server 10.1 London MySQL meetup December 2015
Meet MariaDB Server 10.1 London MySQL meetup December 2015Meet MariaDB Server 10.1 London MySQL meetup December 2015
Meet MariaDB Server 10.1 London MySQL meetup December 2015Colin Charles
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proKarl Ots
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 
LASCON 2013 - AWS CLoud HSM
LASCON 2013 - AWS CLoud HSM LASCON 2013 - AWS CLoud HSM
LASCON 2013 - AWS CLoud HSM Oleg Gryb
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia -  Running a secure pulsar clusterPulsar Summit Asia -  Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 

Similar a Paris FOD meetup - kafka security 101 (20)

Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right Way
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka Security
 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing Cassandra
 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing Cassandra
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016MariaDB Server & MySQL Security Essentials 2016
MariaDB Server & MySQL Security Essentials 2016
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
 
Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7Better encryption & security with MariaDB 10.1 & MySQL 5.7
Better encryption & security with MariaDB 10.1 & MySQL 5.7
 
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
Meet MariaDB Server 10.1 London MySQL meetup December 2015
Meet MariaDB Server 10.1 London MySQL meetup December 2015Meet MariaDB Server 10.1 London MySQL meetup December 2015
Meet MariaDB Server 10.1 London MySQL meetup December 2015
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safe
 
LASCON 2013 - AWS CLoud HSM
LASCON 2013 - AWS CLoud HSM LASCON 2013 - AWS CLoud HSM
LASCON 2013 - AWS CLoud HSM
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia -  Running a secure pulsar clusterPulsar Summit Asia -  Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 

Más de Abdelkrim Hadjidj

Disaster Recovery and High Availability with Kafka, SRM and MM2
Disaster Recovery and High Availability with Kafka, SRM and MM2Disaster Recovery and High Availability with Kafka, SRM and MM2
Disaster Recovery and High Availability with Kafka, SRM and MM2Abdelkrim Hadjidj
 
Paris FOD meetup - koordinator
Paris FOD meetup - koordinatorParis FOD meetup - koordinator
Paris FOD meetup - koordinatorAbdelkrim Hadjidj
 
Paris FOD meetup - Streams Messaging Manager
Paris FOD meetup - Streams Messaging ManagerParis FOD meetup - Streams Messaging Manager
Paris FOD meetup - Streams Messaging ManagerAbdelkrim Hadjidj
 
FOD Paris Meetup - Global Data Management with DataPlane Services (DPS)
FOD Paris Meetup -  Global Data Management with DataPlane Services (DPS)FOD Paris Meetup -  Global Data Management with DataPlane Services (DPS)
FOD Paris Meetup - Global Data Management with DataPlane Services (DPS)Abdelkrim Hadjidj
 
Paris FOD Meetup #5 Hortonworks Presentation
Paris FOD Meetup #5 Hortonworks PresentationParis FOD Meetup #5 Hortonworks Presentation
Paris FOD Meetup #5 Hortonworks PresentationAbdelkrim Hadjidj
 
Paris FOD Meetup #5 Cognizant Presentation
Paris FOD Meetup #5 Cognizant PresentationParis FOD Meetup #5 Cognizant Presentation
Paris FOD Meetup #5 Cognizant PresentationAbdelkrim Hadjidj
 
Apache NiFi: latest developments for flow management at scale
Apache NiFi: latest developments for flow management at scaleApache NiFi: latest developments for flow management at scale
Apache NiFi: latest developments for flow management at scaleAbdelkrim Hadjidj
 
Future of Data Meetup : Boontadata
Future of Data Meetup : BoontadataFuture of Data Meetup : Boontadata
Future of Data Meetup : BoontadataAbdelkrim Hadjidj
 

Más de Abdelkrim Hadjidj (9)

Disaster Recovery and High Availability with Kafka, SRM and MM2
Disaster Recovery and High Availability with Kafka, SRM and MM2Disaster Recovery and High Availability with Kafka, SRM and MM2
Disaster Recovery and High Availability with Kafka, SRM and MM2
 
Hive 3 a new horizon
Hive 3  a new horizonHive 3  a new horizon
Hive 3 a new horizon
 
Paris FOD meetup - koordinator
Paris FOD meetup - koordinatorParis FOD meetup - koordinator
Paris FOD meetup - koordinator
 
Paris FOD meetup - Streams Messaging Manager
Paris FOD meetup - Streams Messaging ManagerParis FOD meetup - Streams Messaging Manager
Paris FOD meetup - Streams Messaging Manager
 
FOD Paris Meetup - Global Data Management with DataPlane Services (DPS)
FOD Paris Meetup -  Global Data Management with DataPlane Services (DPS)FOD Paris Meetup -  Global Data Management with DataPlane Services (DPS)
FOD Paris Meetup - Global Data Management with DataPlane Services (DPS)
 
Paris FOD Meetup #5 Hortonworks Presentation
Paris FOD Meetup #5 Hortonworks PresentationParis FOD Meetup #5 Hortonworks Presentation
Paris FOD Meetup #5 Hortonworks Presentation
 
Paris FOD Meetup #5 Cognizant Presentation
Paris FOD Meetup #5 Cognizant PresentationParis FOD Meetup #5 Cognizant Presentation
Paris FOD Meetup #5 Cognizant Presentation
 
Apache NiFi: latest developments for flow management at scale
Apache NiFi: latest developments for flow management at scaleApache NiFi: latest developments for flow management at scale
Apache NiFi: latest developments for flow management at scale
 
Future of Data Meetup : Boontadata
Future of Data Meetup : BoontadataFuture of Data Meetup : Boontadata
Future of Data Meetup : Boontadata
 

Último

MEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .pptMEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .pptaigil2
 
CI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual interventionCI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual interventionajayrajaganeshkayala
 
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024Guido X Jansen
 
Mapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptxMapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptxVenkatasubramani13
 
YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.JasonViviers2
 
AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)Data & Analytics Magazin
 
Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...PrithaVashisht1
 
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptxTINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptxDwiAyuSitiHartinah
 
ChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics InfrastructureChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics Infrastructuresonikadigital1
 
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for ClarityStrategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for ClarityAggregage
 
Virtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product IntroductionVirtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product Introductionsanjaymuralee1
 
How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?sonikadigital1
 
SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024Becky Burwell
 
Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023Vladislav Solodkiy
 
Master's Thesis - Data Science - Presentation
Master's Thesis - Data Science - PresentationMaster's Thesis - Data Science - Presentation
Master's Thesis - Data Science - PresentationGiorgio Carbone
 
The Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayerThe Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayerPavel Šabatka
 
5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best PracticesDataArchiva
 

Último (17)

MEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .pptMEASURES OF DISPERSION I BSc Botany .ppt
MEASURES OF DISPERSION I BSc Botany .ppt
 
CI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual interventionCI, CD -Tools to integrate without manual intervention
CI, CD -Tools to integrate without manual intervention
 
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
Persuasive E-commerce, Our Biased Brain @ Bikkeldag 2024
 
Mapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptxMapping the pubmed data under different suptopics using NLP.pptx
Mapping the pubmed data under different suptopics using NLP.pptx
 
YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.YourView Panel Book.pptx YourView Panel Book.
YourView Panel Book.pptx YourView Panel Book.
 
AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)AI for Sustainable Development Goals (SDGs)
AI for Sustainable Development Goals (SDGs)
 
Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...Elements of language learning - an analysis of how different elements of lang...
Elements of language learning - an analysis of how different elements of lang...
 
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptxTINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
TINJUAN PEMROSESAN TRANSAKSI DAN ERP.pptx
 
ChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics InfrastructureChistaDATA Real-Time DATA Analytics Infrastructure
ChistaDATA Real-Time DATA Analytics Infrastructure
 
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for ClarityStrategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
Strategic CX: A Deep Dive into Voice of the Customer Insights for Clarity
 
Virtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product IntroductionVirtuosoft SmartSync Product Introduction
Virtuosoft SmartSync Product Introduction
 
How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?How is Real-Time Analytics Different from Traditional OLAP?
How is Real-Time Analytics Different from Traditional OLAP?
 
SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024
 
Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023Cash Is Still King: ATM market research '2023
Cash Is Still King: ATM market research '2023
 
Master's Thesis - Data Science - Presentation
Master's Thesis - Data Science - PresentationMaster's Thesis - Data Science - Presentation
Master's Thesis - Data Science - Presentation
 
The Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayerThe Universal GTM - how we design GTM and dataLayer
The Universal GTM - how we design GTM and dataLayer
 
5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices5 Ds to Define Data Archiving Best Practices
5 Ds to Define Data Archiving Best Practices
 

Paris FOD meetup - kafka security 101

  • 1. Kafka Security 101 & Real World Tips Stephane Maarek - DataCumulus
  • 2. My Kafka Security Journey Stephane, implement Kafka Security!
  • 3. Who am I? • I’m Stephane! • Consultant & Solution Architect at DataCumulus • Apache Kafka SeriesVideo Courses on Udemy • Full productions deployments (with security) • You can find me on • GitHub: https://github.com/simplesteph • LinkedIn: https://www.linkedin.com/in/stephanemaarek • Medium: https://medium.com/@stephane.maarek • Twitter: https://twitter.com/stephanemaarek • Udemy: https://udemy.com/stephane-maarek
  • 4. Who has not secured Kafka?
  • 5. Kafka without Security is RISKY 5 disastrous scenarios 1. Read all your data 2. Write to any topic and break your consumers 3. Intercept and read plaintext network packets 4. Delete all your Kafka data in one command without SSH 5. Kafka Connect? Database Credentials are in a Kafka Topic, plaintext
  • 6. You need Kafka Security If you intend to make Kafka a cornerstone of your infrastructure
  • 7. What’s Kafka Security? Disclaimer: the source of truth is always the documentation
  • 8. Kafka Security in three words Encryption Authentication Authorization
  • 9. Encryption in Kafka • SSL encryption = secure communications • Similar to HTTPS Super secret message Kafka Client (producer / consumer ) Kafka Brokers Port 9093 - SSL aGVsbG8gd29 ybGQgZWh… Encrypted data Kafka Client (producer / consumer ) Kafka Brokers Port 9092 - PLAINTEXT
  • 10. SSL, Concretely? • Create a Certificate Authority (CA) • Generate certificates for your brokers, sign them • Make sure your broker and clients trust the CA Root. ssl.keystore.location=/home/ubuntu/ssl/kafka.server.keystore.jks ssl.keystore.password=serversecret ssl.key.password=serversecret ssl.truststore.location=/home/ubuntu/ssl/kafka.server.truststore.jks ssl.truststore.password=serversecret
  • 11. SSL in the Real World • SSL lowers the performance of your brokers • You lose the zero-copy optimization • Kafka heap usage increases • CPU usage increases • SSL only allows to encrypt data in flight • Data at rest sits un-encrypted on Kafka Disk
  • 12. What about end-to-end encryption? • Closed source: Apple • Open source: • https://github.com/Quicksign/kafka-encryption • https://github.com/nucypher/kafka-oss • POC in progress at DataCumulus Producer Kafka PLAINTEXT Consumer Encrypted data Encrypted data encrypt data decrypt data
  • 14. Authentication in Kafka • Clients need to have and prove their identity • ~= Login (username / password or token) Kafka Client Kafka Broker Authentication data Verify authentication Client is authenticated
  • 15. 99 Forms Of Authentication But Easy Ain’t One • SSL Authentication: two way client authentication • SASL (Simple Authentication and Security Layer): • SASL/GSSAPI (Kerberos) – v0.9.0.0+ - Enterprises (Microsoft AD) • SASL/PLAIN – v0.10.0.0+ - Passwords hardcoded in broker • SASL/SCRAM-SHA-256/512 – v0.10.2.0+ - Passwords in Zookeeper (secure it) • SASL/OAUTHBEARER – v2.0+ - Leverage OAuth 2 • Write your own (contribute back!) • Extend SASL/PLAIN and SASL/SCRAM with KIP-86 (change credentials store) • Real world advice: choose the authentication mechanism you already have in your enterprise
  • 16. Take-aways from the battlefield • SSL authentication makes it really hard to revoke authentication • SASL (Simple Authentication and Security Layer) is not simple (YMMV) • Kerberos is by far the hardest to setup right. Errors are cryptic • This is the most challenging part of the Kafka security journey
  • 17. Authentication in Kerberos, concretely? 1. Create Kerberos or use Active Directory 2. Ensure Kafka servers have correct CNAME & hostname 3. Generate credentials for the brokers 4. Generate KeyTabs for the brokers from the credentials 5. Create a JAAS file: KafkaServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/tmp/kafka.service.keytab" principal="kafka/<<KAFKA-SERVER-INTERNAL-DNS>>@KAFKA.SECURE"; };
  • 18. Authentication in Kerberos, concretely? Continued… • Start Kafka and use java options to reference JAAS file • Add properties to Kafka: • Start Kafka • Pray ! advertised.listeners=SASL_SSL://<<KAFKA-SERVER-DNS>>:9094 sasl.enabled.mechanisms=GSSAPI sasl.kerberos.service.name=kafka
  • 19. Real-World Tips: Authentication • Turn on DEBUG log during setup! • Go slow • Ensure CNAME and PTR records are correct • Scrape and repeat can sometimes solve issues • Automate
  • 21. Authorisation in Kafka • Kafka knows our client’s identity • + Authorization rules: • ”User alice can read topic finance” • ”User bob cannot write topic trucks” • = Security • ACL (Access Control Lists) have to be maintained by administrators
  • 22. ACLs, where are they? • Default:ACLs are stored in Zookeeper • Must secure Zookeeper (network rules or authentication) • OR write your own authorizer (AD, LDAP, a database, Kafka…)
  • 23. Managing ACLs Producers • Adding Permissions: • Shortcuts for producer: ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:myproducer --operation Write --topic mytopic ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:myproducer --producer --topic mytopic
  • 24. Managing ACLs Consumers • Adding Permissions: • Shortcut for consumers: ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:myconsumer --operation Read --topic mytopic ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:writer --consumer --topic mytopic -–group mygroup ~/kafka/bin/kafka-acls.sh --authorizer-properties zookeeper.connect=<<ZOOKEEPER-DNS>>:2181 --add --allow-principal User:myconsumer --operation Write --group mygroup
  • 25. Managing ACLs at Scale? • Look into Kafka Security Manager (https://github.com/simplesteph/kafka-security-manager )
  • 26. Real World Tips on ACLs • Authorisation denials will be logged as INFO in the Kafka log. • Define your broker as super users • Careful with: allow.everyone.if.no.acl.found=true • ACLs can be applied to: • Topics: Create, Read, Describe,Write, etc… • Groups: Read,Write, Describe • Cluster: DescribeConfigs,AlterConfigs, Create • Wildcards are supported in Kafka 2.0! (useful for Kafka Streams)
  • 28. Kafka Server is Secured ! Done? Encryption Authentication Authorization
  • 31. Kafka Client Security is the real challenge • Technical Challenge: • Java Clients: easy • Non Java Clients: please use a client that wraps librdkafka • People Challenge: • Kafka Administrator: I’m a security guru! But I don’t want to secure all the apps • Kafka Developer: wt* is security?
  • 32. Client Security in Java security.protocol=SASL_SSL sasl.kerberos.service.name=kafka ssl.truststore.location=/home/kafka/ssl/kafka.client.truststore.jks ssl.truststore.password=clientpass sasl.jaas.config='com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/etc/security/keytabs/client.service.keytab" principal="clientusername";' • It’s not fun • It’s not easy • It’s error prone
  • 33. Kafka Clients are not tailored to your security needs • Observation 1: Default Kafka clients have every options for security • Observation 2: Your enterprise will only have one security setup • Observation 3: Every client security configuration will look the same • Take-away: don’t use the default Kafka clients
  • 34. Real World Advice #1 Distribute your own wrapped Kafka Clients • Developers love nice APIs: • Standardized applications • No copy and paste errors • Centralized debugging • Reduced learning curve for devs new MyCorpKafkaProducer(bootstrapServers, keySerializer, valueSerializer) .withSSL(sslEnabled, pathToTrustStore) .withAuth(authEnabled, pathToKeyTab, usernameOrPrincipal) .withSchemaRegistry(url) .withExtraProperties(properties) .build()
  • 35. Real World Advice #2 Create a Kafka Client Base Docker Image Security at scale goes hands in hands with consistency. • Embed modified Java Truststore • Standard Retrieval of SSL certificates • Standard Retrieval of Credentials fromVault / Secure Store • Kafka environment switches, Security switches • Bootstrap Server Discovery & Schema Registry Discovery • Extend to Kafka Connect & Schema Registry
  • 36. Real World Advice #3 Make a checklist before going to prod • What’s the application username? • Are all ACLs listed and created? • Is the application using the MyCorp Kafka clients? • Is the application running in the standardized Docker Container? • Are quotas defined for this application? • Is the application monitored? • …Check? Release!
  • 37. Next steps Where to take your learning from here!
  • 38. Okay, I want to implement security! What’s next? • Read the docs: • Kafka Documentation: https://kafka.apache.org/documentation/#security • Confluent Documentation: https://docs.confluent.io/current/security.html • Read some blogs: • https://medium.com/@stephane.maarek/introduction-to-apache-kafka-security- c8951d410adf • https://www.confluent.io/blog/apache-kafka-security-authorization-authentication- encryption/ • Video Course: • ConfluentYoutube: https://www.youtube.com/watch?v=MsQo-yoVleU&t=21s • Udemy: https://www.udemy.com/apache-kafka-security (coupon KAFKASUMMIT18)