.. _kafka_security:

Kafka Security
================

In the 0.9.0.0 release, the Kafka community added a number of features that can be used, together or separately, to secure a Kafka cluster.
The following security measures are currently supported:

#. Authentication of connections to brokers from clients (producers and consumers), other brokers and tools, using either SSL or SASL (Kerberos).
   SASL/PLAIN can also be used from release 0.10.0.0 onwards
#. Authentication of connections from brokers to ZooKeeper
#. Encryption of data transferred between brokers and clients, between brokers, or between brokers and tools using SSL (Note that there is a
   performance degradation when SSL is enabled, the magnitude of which depends on the CPU type and the JVM implementation)
#. Authorization of read / write operations by clients
#. Authorization is pluggable and integration with external authorization services is supported

It's worth noting that security is optional - non-secured clusters are supported, as well as a mix of authenticated, unauthenticated, encrypted
and non-encrypted clients.

See :ref:`operating a secure cluster in the Confluent Platform <kafka_platform_security>` for suggestions on using other Confluent Platform components
with a secured Kafka cluster.

The guides below explain how to configure and use the security features in both clients and brokers.

.. toctree::
   :maxdepth: 3

   ssl
   sasl
   authorization
   incremental-security-upgrade
   zookeeper-authentication
   platform-security