Kafka Authentication & Authorisation
Moneyhub-hosted Apache Kafka
Authentication
Moneyhub-hosted Kafka only supports authentication using mutual TLS (mTLS). All client connections must use a valid client certificate, which is authenticated by the Certificate Authority (CA) specified by Moneyhub. Connections using simple username and password (SASL/PLAIN), SASL/SCRAM, or any other authentication methods are not supported.
This approach ensures that only clients with trusted and verifiable certificates can connect to our Kafka service, providing robust security and preventing unauthorised access.
Mutual TLS
We operate a Private Certificate Authority(CA), which will be responsible for supplying client certificates. The generated client certificate will allow your Kafka client to authenticate with the Kafka cluster, and then be authorised to access what is required (as detailed below)
Authorisation
Moneyhub uses Access Control Lists(ACLs) to authorise client permissions on our hosted Kafka deployment.
When using mTLS authentication, we use the common name (cn) from your certificate, which your Kafka client uses as the principal for any rules. The principal is granted write access to the ingress topic and read access to the egress topic on a specified consumer group.
Client-hosted Kafka
Please liaise with us so we can support your implementation and requirements.
Updated about 1 month ago