KRaft Security in Confluent Platform¶
Starting with Confluent Platform 7.5.0, Kafka Raft (KRaft) replaces ZooKeeper as the default for storing Kafka metadata. A Confluent Platform cluster running in KRaft mode does not require a separate ZooKeeper cluster to store the Kafka metadata. The Confluent Platform cluster is now comprised of Kafka brokers and KRaft controllers. The Kafka brokers process and store Kafka data and the KRaft controllers store and manage the Kafka metadata.
The KRaft controllers and Kafka brokers are configured using the same configuration
parameters, which are included, respectively, in their controller.properties
and broker.properties
files. To ensure that your Confluent Platform cluster is secure, you
must protect interbroker communication between the KRaft controllers and
Kafka brokers, control access to the KRaft controllers and metadata in your
Confluent Platform cluster.
Important
As of Confluent Platform 7.5, ZooKeeper is deprecated for new deployments. Confluent recommends KRaft mode for new deployments. For more information, see KRaft Overview for Confluent Platform.
Protect interbroker communication¶
SASL/SCRAM authentication provides a secure way to authenticate brokers to each other. It protects passwords from being sniffed on the network and prevents pre-computed dictionary attacks on passwords. TLS encryption protects the communication between brokers from eavesdropping and tampering. By using both SASL/SCRAM authentication and TLS encryption, you can achieve the highest level of security for interbroker communication in your Confluent Platform cluster.
Authenticate using SASL/SCRAM¶
Use SASL/SCRAM authentication for all communication between all Kafka nodes, including KRaft controllers and Kafka brokers, and communication related to the metadata log.
To use SASL/SCRAM authentication, you need to set the following configuration properties:
sasl.mechanism.inter.broker.protocol
– The SASL mechanism used for interbroker communication. This property must be set toSCRAM-SHA-256
orSCRAM-SHA-256
.sasl.enabled.mechanisms
– The list of enabled SASL mechanisms. Set this property toSCRAM-SHA-256
orSCRAM-SHA-512
.
For details on how to configure SASL/SCRAM authentication, see KRaft-based clusters.
Encrypt using TLS¶
Use TLS encryption to encrypt all communication between all Kafka nodes, including KRaft controllers and Kafka brokers, and communication related to the metadata log.
To enable TLS encryption, you need to set the following configuration properties:
security.inter.broker.protocol
– The protocol used for interbroker communication. Set this property toSSL
for TLS.ssl.keystore.type
: Set this property to the type of keystore file that contains the broker’s certificate and private key. The default value isJKS
.ssl.keystore.location
: Set this property to the location of the keystore file that contains the broker’s certificate and private key.ssl.truststore.type
: Set this property to the type of truststore file that contains the public certificate of the CA that signed the broker’s certificate. The default value isJKS
.ssl.truststore.location
: Set this property to the location of the truststore file that contains the public certificate of the CA that signed the broker’s certificate.
For details about how to configure TLS encryption, see Encrypt with TLS in Confluent Platform.
Control access to KRaft controllers and metadata¶
Use access control lists (ACLs) and role-based access control (RBAC) to control
access to your Confluent Platform cluster’s KRaft controllers and Kafka brokers
(producers/consumers) and which users can read from or write to the
__cluster_metadata
internal topic that represents the metadata log.
Use access control lists (ACLs)¶
Use ACLs to control access to Kafka resources. For example, you can use ACLs
to control which users can read from or write to the __cluster_metadata
.
For details, see Authorization using Access Control Lists (ACLs) in Confluent Platform.
Use role-based access control (RBAC)¶
Note
RBAC is supported in Confluent Platform production clusters running in KRaft mode, but the KRaft combined mode is not supported in production environments.
Use RBAC to control access to KRaft controllers and Kafka brokers in your Confluent Platform cluster. For details, see Authorize using Role-Based Access Control (RBAC) in Confluent Platform.