Demo: RBAC and Secret Protection in Confluent Platform (English)

Demo: RBAC and Secret Protection in Confluent Platform (English)

Posted by


(dramatic music) – [Suvad] Hi, my name is Suvad Sahovic, I’m a systems engineer here at Confluent and today I want to show you two new really cool
Confluent security components for your Kafka environment. So let’s start. First component,
role-based access control. The following situation,
you have your critical data in your Kafka environment, you want to protect it, you want to grant privileges to users, hopefully groups, and
if you have many users, this is pretty tough and in the case that you’re using another
Confluent platform components like schema registry or KSQL, it makes the situation much more difficult and this is exactly where
role-based access control comes into the game. It’s a central platform for authentication and authorization for your whole Kafka environment and the really cool stuff is that you can integrate your role-based access control with your existing user
store LDAP directory, in my case, it’s Microsoft
Active Directory. I have here two users, Max who is part of the
dataio project group and Suvad who is part
of the m3d developers and what I have done is I mapped these two groups to role-based access
control specific roles so that these groups can access
only project-related data so let’s see if Suvad is
now accessing his topics. He should then see all the m3d topics as you can see and if Max
is accessing his topics from his project, he see
only dataio projects data. So in the case that I now, for example, changing Suvad from one team to another, he is just moving from one team to another from m3d to dataio, let’s do this now, he should then be able only to see then the dataio project data and the m3d data should be then actually or the privilege, it
should be then revoked, so let’s see if that is working now. I’m executing the same statement again and indeed, he has access
only to dataio project data. And the cool thing is that this works for whole Confluent platform components. The second really cool
Confluent security component is secret protection. We have this, typically this problem that we have in our property
files sensitive data like username or passwords in the case, for example, here my case, it’s password suvad, username suvad and this is the parameter
here, sasl.jaas.config and this is exactly
where secret protection now comes into the game. It encrypts this sensitive data in the property files. I’m just defining here which
parameter I want to encrypt, execute it, and now if I
reopen this file again, the data is encrypted and if I execute again my statement, all the other tools are still working with this encrypted data and the really cool point is that secret protection
is working not only with the Confluent platform property files but also with all the other property files in your company. That’s it for today. Hopefully the session was helpful for you. Thanks for watching and see you next time. (dramatic music)

Leave a Reply

Your email address will not be published. Required fields are marked *