0

I'm starting out with Kafka.

I see that I'm able to pass headers when producing messages.

Traditionally one would have a web client (single page app) where to user logs in via some remote oidc idp and receives a token. That token is then sent via Authentication: Bearer token-here header to some RESTful backend where the token is checked for validity and the payload is processed, saved to database or other and something is returned or not.

Now there's Apache Kafka. It has a REST proxy. I can pass headers to the REST proxy and produce messages, or consume them, but I'm interested in the "secure my RESTful JSON API" part.

Currently, without Kafka, I have either a oidc proxy (using keycloak, that's keycloak-gatekeeper) that does the filtering of which request makes it to the backend, or I have a oidc client that does token validation as some middleware function inside the backend. In any case invalid requests doesn't get "logged" as they would in Kafka, I assume.

Where does oidc token validation and request filtering fit in the Kafka/Confluent ecosystem?

Assume we have a SPA that talks to the Confluent REST Proxy. Some logged in user wants to post messages and some non-logged in user should not be able to.

How does Kafka and/or its tools deal with that scenario?

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
  • OpenID connect is now suppoerted by kafka since version 3.1.0 (released Jan 2022) https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575 – Amanuel Nega Mar 10 '22 at 08:37

1 Answers1

0

Kafka commonly uses SASL and other Authorization plugins to prevent access.

Certificates would be distributed amongst clients (here, that is the REST Proxy). You would need other proxies or plugins around that to prevent further access or audit the requests, as with any other web server.

HTTPS certificates would be used to secure traffic to the REST proxy, but seems you're asking about something more specific.

There is no reference to OpenID in the documentation, only LDAP RBAC, as a commercial offering

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
  • My concern is kafka REST providing the REST interface for clients to communicate via. SPA talks via kafka REST to Kafka. I'm not concerned with kafka REST and Kafka communication. I'm interested in authenticating using oidc, getting a token and using that token to prove my identity to Kafka REST, so it can then decide to grant me write or read access to producers or consumers. I mean that I don't see the point of Kafka REST when this isn't possible, I might as well write my own Kafka middleware. I was asking because I saw oauth2 config options in the logs but none in the documentation. –  Mar 18 '20 at 01:36
  • 2
    Ah I see, the last part, Kafka REST uses basic auth. Ok I'll accept your answer. Thanks. –  Mar 18 '20 at 01:38
  • Ah and all of a sudden there it is: https://docs.confluent.io/current/security/rbac/token-auth.html oidc is an oauth2 dialect so to say. –  Mar 18 '20 at 01:40
  • That might be an enterprise only feature, I'm not sure – OneCricketeer Mar 18 '20 at 07:07