100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Kafka

Kafka Security Basics

Core mechanisms for securing a Kafka cluster: encryption in transit, authentication, and fine-grained authorization.

Reliability & OpsIntermediate10 min readJul 10, 2026
Analogies

The Three Pillars: Encryption, Authentication, Authorization

By default, a freshly installed Kafka cluster ships with the PLAINTEXT listener, meaning any client that can reach the broker's port over the network can produce, consume, or even administer topics with zero credentials required. Securing Kafka properly means layering three independent concerns: SSL/TLS for encrypting data in transit so it can't be sniffed off the wire, SASL mechanisms for authenticating who a client actually is, and ACLs (Access Control Lists) for authorizing exactly what an authenticated client is permitted to do.

🏏

Cricket analogy: A stadium with PLAINTEXT-equivalent security is like a ground with no ticket checks at any gate, where anyone can walk onto the field itself; proper security is like having sealed gates (encryption), ID checks at entry (authentication), and separate passes for players, officials, and media (authorization).

SASL/SCRAM is the most common authentication mechanism for teams that don't already run Kerberos, storing salted, hashed credentials directly in ZooKeeper or KRaft metadata and letting clients authenticate with a username and password over an SSL-encrypted connection; SASL/GSSAPI (Kerberos) is preferred in enterprises with an existing Active Directory or MIT Kerberos infrastructure, while SASL/OAUTHBEARER integrates with modern identity providers issuing short-lived tokens.

🏏

Cricket analogy: SASL/SCRAM is like a local club issuing its own membership cards with a password-protected system, while SASL/GSSAPI is like relying on the national cricket board's existing centralized player accreditation system that every affiliated club already trusts.

properties
# broker server.properties (SASL_SSL listener)
listener.security.protocol.map=SASL_SSL:SASL_SSL
listeners=SASL_SSL://broker1:9093
sasl.enabled.mechanisms=SCRAM-SHA-512
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512
ssl.keystore.location=/etc/kafka/ssl/broker.keystore.jks
ssl.keystore.password=changeit
ssl.truststore.location=/etc/kafka/ssl/broker.truststore.jks
authorizer.class.name=kafka.security.authorizer.AclAuthorizer
super.users=User:admin

# Grant a producer app write access to a specific topic
kafka-acls.sh --bootstrap-server broker1:9093 --command-config admin.properties \
  --add --allow-principal User:order-service \
  --operation Write --topic orders

ACLs in Kafka follow a deny-by-default model once an authorizer like AclAuthorizer or StandardAuthorizer (KRaft) is enabled: a principal with no matching ACL is denied every operation, so super.users or explicit grants must be configured before clients can connect at all.

Encryption and Least-Privilege Authorization

SSL/TLS in Kafka is typically configured on both the client-facing listener and the inter-broker replication listener separately, since replication traffic between brokers also traverses the network and is equally vulnerable to interception; teams often use mutual TLS (mTLS) with client certificates as both an encryption layer and an implicit authentication mechanism, where the certificate's distinguished name becomes the authenticated principal used by the ACL authorizer.

🏏

Cricket analogy: Encrypting both client and inter-broker traffic is like a team encrypting not just the coach-to-player tactical signals but also the internal selector-to-selector deliberations, because both channels carry sensitive information that rival teams would exploit if intercepted.

Effective ACL design follows least-privilege: each application principal gets exactly the operations it needs on exactly the resources it needs, such as Write access to a specific topic prefix for a producer service and Read plus the consumer group's Describe permission for a consumer service, rather than broad wildcard grants; prefixed ACLs (using --resource-pattern-type PREFIXED) let teams grant access to an entire naming convention like orders.* without enumerating every individual topic.

🏏

Cricket analogy: It's like a franchise giving its bowling coach access only to bowling analytics data and its batting coach access only to batting analytics, rather than handing every staff member full access to the entire team's confidential player database.

Granting a wildcard ACL such as --topic '*' --operation All to an application principal effectively defeats the purpose of authorization entirely; always scope ACLs to specific topics, prefixes, or consumer groups, and reserve super.user status for genuine administrative accounts only.

  • Default Kafka installs use PLAINTEXT listeners with no encryption, authentication, or authorization enabled at all.
  • Security has three independent layers: SSL/TLS for encryption, SASL for authentication, and ACLs for authorization.
  • SASL/SCRAM suits teams without existing Kerberos infrastructure; SASL/GSSAPI integrates with Active Directory environments.
  • SASL/OAUTHBEARER delegates authentication to modern identity providers issuing short-lived tokens.
  • Inter-broker replication traffic needs its own TLS configuration, separate from the client-facing listener.
  • mTLS can serve as both encryption and authentication, using the client certificate's distinguished name as the ACL principal.
  • ACLs should follow least-privilege, using prefixed resource patterns instead of broad wildcard grants.

Practice what you learned

Was this page helpful?

Topics covered

#Kafka#ApacheKafkaStudyNotes#DevOps#KafkaSecurityBasics#Security#Three#Pillars#Encryption#StudyNotes#SkillVeris