Auth and Security

Security

Kafkorama ensures security through multiple layers, including:

• TLS/SSL encryption for all client communications, using widely accepted industry standards
• TLS/SSL encryption and authentication for JMX, HTTP, and Prometheus monitoring
• A configurable list of supported TLS/SSL ciphers
• Password protection for inter-cluster communication
• Server execution as a non-privileged user
• Support for dual firewall and DMZ deployment policies
• IP whitelisting for message publication
• Authorization mechanisms for data access control

In some deployments, a load balancer may be used in front of a Kafkorama cluster. However, a load balancer is not required: Kafkorama is designed to scale horizontally and deliver enterprise-grade security independently.

Authorization

Authorization in Kafkorama ensures that clients can only access the subjects (i.e., API endpoints) they are permitted to use. Specifically:

• Clients can only subscribe to subjects they are authorized to subscribe
• Clients can only publish to subjects they are authorized to publish to

This is enforced using JWT-based keys, which define authorization rules for PUB and/or SUB operations for streaming API endpoints. These keys are managed in the Kafkorama Portal.