When different teams start to use the same Kafka clusters, it opens up opportunities and challenges. During this talk, we will look at different architectures and team structures to explore ways in which to set up authorization in a granular and maintainable way for real-world users, as well as for producing or consuming clients.
What are the options offered by the Kafka built-in Authorizer, how can the Authorizer be customized and how are integrations with external systems built in order to provide group or role-based access control? Confluent Cloud and Confluent Platform provide predefined roles as part of the Role-based Access Control (RBAC) feature. We will look at the permissions included in these role bindings, the scope on which they can be used, and the components for which they are available. Role-based Access Control and Access Control Lists can be used together - let’s explore the options, best practices, and order of precedence.
We will put the capabilities into action by looking at the practices used by an imaginary company where the central Platform Team provisions clusters for its internal customers and provides access for teams to self-manage their domains. What’s the best approach to grant access to team members to their team’s resources and what needs to happen when one team collaborates with another team? What happens when a team member works temporarily on two teams?
We will close the session by looking at the ability to use the authorization mechanisms in conjunction with different authentication options and at the automation options to make the actions predictable and repeatable.
- Authentication: Confluent Cloud local users
- Authorization: RBAC prefixed role bindings
- Naming Convention: Team name used as prefix
"Kafka: The Definitive Guide, 2nd Edition" by Gwen Shapira, Todd Palino, Rajini Sivaram, Krit Petty was used as a source throughout the different sections of the presentation. "Kafka: The Definitive Guide, 2nd Edition" can be downloaded from the Confluent website.
- Apache Kafka 3.23 Documentation - 7.1 Security Overview
- Course: Apache Kafka® Security - Kafka Authentication Basics
- Confluent Platform - Authentication Methods Overview
- Confluent Cloud - Access Management: Authenticate
- Apache Kafka 3.23 Documentation - 7.4 Authorization and ACLs
- KIP-11 - Authorization Interface
- KIP-290: Support for Prefixed ACLs
- Course: Apache Kafka® Security - Authorization
- Confluent Platform and Apache Kafka Compatibility
- Confluent Platform 7.2.1 installation /etc/kafka/kraft/README.md
- Confluent Platform Security
- Confluent Cloud - Access management & control
Confluent Cloud Features and Limits by Cluster Type
- Apache Kafka Documentation - 4.9 Quotas
- Confluent Platform Quotas
- Multi-tenancy and Client Quotas on Confluent Cloud
- Apache Kafka Documentation - 6.8 Monitoring
- Apache Kafka Documentation - 6.4 Multitenancy Monitoring
- Confluent Platform - Control Center
- Connecting Control Center to Confluent Cloud
- Insomnia Confluent Cloud Metrics API Examples
- Bring Your Own Monitoring with Confluent Cloud
- Export Endpoint
- Confluent Cloud Metrics API
- Confluent Cloud Metrics API Reference
- Use the Metrics API to Track Usage by Team