Overview
The article discusses Uber's implementation of security features for its Kafka infrastructure, detailing the importance of securing data integrity and access control. It covers the core concepts of authentication, authorization, and encryption, as well as the integration with Uber's uPKI and Charter IAM frameworks.
What You'll Learn
1
How to implement mutual TLS for secure Kafka connections
2
Why integrating with a centralized IAM framework enhances security
3
How to manage authorization policies for multi-tenant Kafka clusters
Prerequisites & Requirements
- Understanding of Kafka architecture and security concepts
- Familiarity with Java and Kafka client libraries(optional)
Key Questions Answered
How does Uber secure its Kafka infrastructure?
Uber secures its Kafka infrastructure by implementing mutual TLS for authentication, using a centralized IAM framework for authorization, and employing encryption techniques to protect data in transit. This multi-layered security approach ensures that only authorized services can access Kafka topics and that data integrity is maintained.
What role does the uPKI framework play in Kafka security?
The uPKI framework at Uber provides short-lived, auto-rotated cryptographic key pairs to services, allowing for mutual authentication and secure communication over potentially insecure channels. This enhances the overall security posture of the Kafka infrastructure by ensuring that only verified services can interact with each other.
What challenges did Uber face when enabling security features on Kafka clusters?
Uber faced challenges in enabling security features on Kafka clusters due to the need for all topics to have valid authorization policies, the complexity of managing multiple clients, and ensuring that non-secure topics could still function in a secure environment. This required careful planning and configuration to avoid disruptions.
What performance impacts were observed after enabling security features?
After enabling security features, Uber observed approximately 2.5X degradation in p99 latencies. However, subsequent optimizations, including migrating to Java 11 and tuning garbage collection, helped mitigate these performance issues significantly.
Key Statistics & Figures
Performance degradation after enabling security features
2.5X
Observed in p99 latencies during performance runs after implementing security features.
Number of Kafka topics secured
500+
As of the article's publication, Uber had enabled security features on over 500 critical Kafka topics.
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Backend
Apache Kafka
Used as the messaging system for Uber's real-time workflows.
Security
Upki
Provides workload identity and cryptographic key management for secure communications.
Security
Charter
Uber's centralized IAM framework for managing access control policies.
Key Actionable Insights
1Implement mutual TLS to secure communication between Kafka clients and brokers.Mutual TLS not only encrypts data in transit but also ensures that both parties are authenticated. This is crucial in a microservices architecture where services need to trust each other.
2Leverage a centralized IAM framework like Charter for managing authorization policies.Using a centralized system simplifies policy management across multiple services and ensures consistent enforcement of access controls, reducing the risk of unauthorized access.
3Regularly monitor the health of your security infrastructure, including certificate TTLs and failed authentication counts.Proactive monitoring can help identify potential security issues before they escalate, ensuring that your Kafka infrastructure remains secure and operational.
Common Pitfalls
1
Failing to properly configure authorization policies for all topics in a multi-tenant Kafka cluster.
Without comprehensive policies, requests may be rejected, causing disruptions. It's essential to track and manage policies effectively, especially in environments with many clients.
Related Concepts
Kafka Security Best Practices
IAM Frameworks And Their Integration
Performance Tuning For Secure Applications