How to enforce topic authorization for kafka http bridge clients

[sgv0007]

Hi Team ,

We have shared kafka http bridge endpoints to multiple clients for produce/consume message. However all the clients can produce or consume from topics which are not related to their application .

We have enable authorization at kafka cluster level but that is only applicable between kafka http bride and the broker cluster. So if I update anything at kafka user level that will affect all the clients using http bridge .

As per the strimzi http bridge documentation

However, Strimzi takes care of configuring and managing options related to the following, which cannot be changed:
Kafka` cluster bootstrap address
Security (encryption, authentication, and authorization)
Consumer group identifier

Properties with the following prefixes cannot be set:
bootstrap.servers
group.id
sasl.
security.
ssl.

Can you please let me know is there a way to restrict kafka http bridge clients from subscribing to unauthorized topics , while using a common/shared http bridge instance.?

Thanks,
Shiva

[scholzj]

If you want some form of authorization on the HTTP interface of the Bridge, you have to front it with some API gateway or a similar tool and enforce the authentication and authorization of the HTTP clients there.

[sgv0007]

Thanks @scholzj for the response.

Actually my requirement is bit different , problem is not with http endpoint authorization . If you consider below example , I want to allow app team 1 to have access to only topic a and b by passing sasl.jaas.config value like below for producer or consumer endpoint .

sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required
username="team1"
password="team1 password";

example:

client/app team 1: kafka User "team 1"
topic a
topic b

client/app team 2: Kafka User "team 2"
topic c
topic d

Thanks,
Shiva

[scholzj]

Actually my requirement is bit different , problem is not with http endpoint authorization .

Well, the way you describe it (or at least the way I understand what you wrote) your problem and solution is exactly what I said it is. You are asking for different HTTP clients to be treated as different users and have different rights. As I said, you can achieve that by putting some kind of API gateway or proxy in front of the HTTP Bridge. Or for example by using a separate Bridge with a different Kafka user for each client (but even then you need to secure the HTTP Bridge with some API gateway otherwise any client can use the Bridge from another client).

[sgv0007]

@scholzj Considering the first solution of using API gateway , How can we restrict access at topic level when using using a single http bridge ?

[scholzj]

Based on restricting access to different HTTP paths?

[sgv0007]

@scholzj thanks that helps :)

[kreuzj]

Hello @sgv0007, dealing with similar requirement for one of our customer. I'm just curious if you were able to have the setup working with restricting access to different HTTP paths (as the topic name is part of HTTP body of KB consumer subscribing to topics). Which API gateway are you using? Can you pls. provide more info?

Thanks,
Jan

[kreuzj]

Hello, @scholzj, can you pls. provide more details how did you mean the restricting access to different HTTP paths to control clients access to specific topics? Topic name is part of HTTP body when KB consumer is subscribing to topics (the URL path contains only consumer group and consumer name...). Thanks

Regards,
Jan

[scholzj]

I do not have any additional details for that, sorry.