KRaft Security

Starting with Confluent Platform 7.5.0, Kafka Raft (KRaft) replaces ZooKeeper as the default for storing Kafka metadata. A Confluent Platform cluster running in KRaft mode does not require a separate ZooKeeper cluster to store the Kafka metadata. The Confluent Platform cluster is now comprised of Kafka brokers and KRaft controllers. The Kafka brokers process and store Kafka data and the KRaft controllers store and manage the Kafka metadata.

The KRaft controllers and Kafka brokers are configured using the same configuration parameters, which are included, respectively, in their controller.properties and broker.properties files. To ensure that your Confluent Platform cluster is secure, you must protect interbroker communication between the KRaft controllers and Kafka brokers, control access to the KRaft controllers and metadata in your Confluent Platform cluster.

Important

As of Confluent Platform 7.5, ZooKeeper is deprecated for new deployments. Confluent recommends KRaft mode for new deployments. For more information, see KRaft Overview.

Protect interbroker communication

SASL/SCRAM authentication provides a secure way to authenticate brokers to each other. It protects passwords from being sniffed on the network and prevents pre-computed dictionary attacks on passwords. TLS encryption protects the communication between brokers from eavesdropping and tampering. By using both SASL/SCRAM authentication and TLS encryption, you can achieve the highest level of security for interbroker communication in your Confluent Platform cluster.

Authenticate using SASL/SCRAM

Use SASL/SCRAM authentication for all communication between all Kafka nodes, including KRaft controllers and Kafka brokers, and communication related to the metadata log.

To use SASL/SCRAM authentication, you need to set the following configuration properties:

  • sasl.mechanism.inter.broker.protocol – The SASL mechanism used for interbroker communication. This property must be set to SCRAM-SHA-256 or SCRAM-SHA-256.
  • sasl.enabled.mechanisms – The list of enabled SASL mechanisms. Set this property to SCRAM-SHA-256 or SCRAM-SHA-512.

For details on how to configure SASL/SCRAM authentication, see KRaft-based clusters.

Encrypt using TLS

Use TLS encryption to encrypt all communication between all Kafka nodes, including KRaft controllers and Kafka brokers, and communication related to the metadata log.

To enable TLS encryption, you need to set the following configuration properties:

  • security.inter.broker.protocol – The protocol used for interbroker communication. Set this property to SSL for TLS.
  • ssl.keystore.type: Set this property to the type of keystore file that contains the broker’s certificate and private key. The default value is JKS.
  • ssl.keystore.location: Set this property to the location of the keystore file that contains the broker’s certificate and private key.
  • ssl.truststore.type: Set this property to the type of truststore file that contains the public certificate of the CA that signed the broker’s certificate. The default value is JKS.
  • ssl.truststore.location: Set this property to the location of the truststore file that contains the public certificate of the CA that signed the broker’s certificate.

For details about how to configure TLS encryption, see Encrypt with TLS.

Control access to KRaft controllers and metadata

Use access control lists (ACLs) and role-based access control (RBAC) to control access to your Confluent Platform cluster’s KRaft controllers and Kafka brokers (producers/consumers) and which users can read from or write to the __cluster_metadata internal topic that represents the metadata log.

Use access control lists (ACLs)

Use ACLs to control access to Kafka resources. For example, you can use ACLs to control which users can read from or write to the __cluster_metadata. For details, see Authorization using Access Control Lists (ACLs).

Use role-based access control (RBAC)

Note

RBAC is supported in Confluent Platform production clusters running in KRaft mode, but the KRaft combined mode is not supported in production environments.

Use RBAC to control access to KRaft controllers and Kafka brokers in your Confluent Platform cluster. For details, see Authorization using Role-Based Access Control.