kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Rosenberg <...@squareup.com>
Subject Re: Securing kafka
Date Mon, 02 Sep 2013 20:13:54 GMT
I'm definitely interested in this too.


On Fri, Aug 30, 2013 at 6:03 PM, Jay Kreps <jay.kreps@gmail.com> wrote:

> Yeah if nobody else does it first linkedin will definitely do kerberos/ssl
> + unix permissions at the topic level soonish. If folks already have a head
> start on the auth piece we would love to have that contribution.
>
>
> On Fri, Aug 30, 2013 at 5:25 AM, Maxime Brugidou
> <maxime.brugidou@gmail.com>wrote:
>
> > We would love to see kerberos authentication + some unix-like permission
> > system for topics (where one topic is a file and users/groups have read
> > and/or write access).
> >
> > I guess this is not high-priority but it enables some sort of
> > kafka-as-a-service possibility with multi tenancy. You could integrate a
> > quota system later on...
> > On Aug 30, 2013 5:38 AM, "Rajasekar Elango" <relango@salesforce.com>
> > wrote:
> >
> > > No certificates are not per topic. It is for entire broker.
> > >
> > > Thanks,
> > > Raja.
> > >
> > >
> > > On Thu, Aug 29, 2013 at 11:33 PM, Joe Stein <cryptcom@gmail.com>
> wrote:
> > >
> > > > are the certificate stores by topic? very interesting!!! looking
> > forward
> > > to
> > > > trying it out and review it
> > > >
> > > > /*******************************************
> > > >  Joe Stein
> > > >  Founder, Principal Consultant
> > > >  Big Data Open Source Security LLC
> > > >  http://www.stealth.ly
> > > >  Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop>
> > > > ********************************************/
> > > >
> > > >
> > > > On Thu, Aug 29, 2013 at 11:22 PM, Rajasekar Elango
> > > > <relango@salesforce.com>wrote:
> > > >
> > > > > We have made changes to kafka code to support certificate based
> > mutual
> > > > SSL
> > > > > authentication. So the clients and broker will exchange trusted
> > > > > certificates for successful communication. This provides both
> > > > > authentication and ssl encryption. Planning to contribute that code
> > > back
> > > > to
> > > > > kafka soon.
> > > > >
> > > > > Thanks,
> > > > > Raja.
> > > > >
> > > > >
> > > > > On Thu, Aug 29, 2013 at 11:16 PM, Joe Stein <cryptcom@gmail.com>
> > > wrote:
> > > > >
> > > > > > One use case I have been discussing recently with a few clients
> is
> > > > > > verifying the digital signature of a message as part of the
> > > acceptance
> > > > > > criteria of it being committed to the log and/or when it is
> > consumed.
> > > > > >
> > > > > > I would be very interested in discussing different scenarios
such
> > as
> > > > > Kafka
> > > > > > as a service, privacy at rest as well as authorization and
> > > > authentication
> > > > > > (if required).
> > > > > >
> > > > > > Hit me up
> > > > > >
> > > > > > /*******************************************
> > > > > >  Joe Stein
> > > > > >  Founder, Principal Consultant
> > > > > >  Big Data Open Source Security LLC
> > > > > >  http://www.stealth.ly
> > > > > >  Twitter: @allthingshadoop <
> http://www.twitter.com/allthingshadoop
> > >
> > > > > > ********************************************/
> > > > > >
> > > > > >
> > > > > > On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <jay.kreps@gmail.com>
> > > > wrote:
> > > > > >
> > > > > > > +1
> > > > > > >
> > > > > > > We don't have any application-level security at this time
so
> the
> > > > answer
> > > > > > is
> > > > > > > whatever you can do at the network/system level.
> > > > > > >
> > > > > > > -Jay
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <b@b3k.us>
> > wrote:
> > > > > > >
> > > > > > > > IP filters on the hosts.
> > > > > > > > On Aug 29, 2013 10:03 AM, "Calvin Lei" <ckplei@gmail.com>
> > wrote:
> > > > > > > >
> > > > > > > > > Is there a way to stop a malicious user to connect
directly
> > to
> > > a
> > > > > > kafka
> > > > > > > > > broker and send any messages? Could we have the
brokers to
> > > > accept a
> > > > > > > > message
> > > > > > > > > to a list of know IPs?
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Thanks,
> > > > > Raja.
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Thanks,
> > > Raja.
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message