Kafka Authentication & Authorisation
Moneyhub-hosted Apache Kafka
Authentication
While the Moneyhub-hosted Apache Kafka supports both mTLS and SASL we highly recommend using methods of authentication, specifically mTLS, for production integrations.
Mutual TLS
We operate a Certificate Authority(CA), we can also use a CA that you host. Our Kafka brokers can produce CSRs that are used to generate a signed certificate. And we can accept CSRs (as detailed in this guide) through the Admin Portal that allows for a signed certificate to be issued to your Kafka client for authentication and authorisation(as detailed below)
Authorisation
Moneyhub uses Access Control Lists(ACLs) to authorise client permissions on our hosted Kafka deployment.
When using mTLS authentication, we use the common name (cn) from your certificate, which your Kafka client uses as the principal for any rules. The principal is granted write access to the ingress topic and read access to the egress topic.
Client-hosted Kafka
Please liaise with us so we can support your implementation and requirements.
Updated about 2 months ago