Kafka Security: ACLs - whitelisting your clients

How this basic security feature works on the Eventador platform


by Kenny Gorman, Founder and CEO
   22 Dec 2016

Every Kafka deployment on Eventador has an associated access control list (ACL). The ACL defines what IP addresses are whitelisted and allowed access to produce and consume to and from your deployment. In fact, there are no entries at deploy time, thus access is completely denied. In order to use our service you must first grant the IP address of your client access by adding an entry for it to the ACL. Here is how you do it.

Assuming you have already created a deployment, your next step is to allow access to it.

Log into the Eventador console, click on your deployment name. Then select the ‘security’ tab. Assuming you don’t yet have any ACL entries you will be presented with this message:

acl

Select the ‘Add ACL’ button. Then you will see a dialog like this:

addacl

At this point you need to make a decision about what IP address or IP address range to add. If you are simply adding the machine you are currently on for testing purposes just add it’s address. You can find your IP address like this:

curl -4 ifconfig.co

Enter the IP address it returns into the CIDR mask input field, be sure to add a /24 on the end for just the IP you specify. You can specify address ranges according to CIDR notation. As you add entries, they are added to the ACL. This whitelists these ranges for access to every endpoint associated with your deployment. Your Kafka brokers, zookeepers, the Eventador Notebook, and PipelineDB are all covered by this same whitelist.

As you build up your ACL it will look similar to this:

whitelist

After adding an entry, you will be able to test the endpoints to ensure you have access. The easiest way to do this is to use something like kafkacat to ping your kafka brokers.

kafkacat -L -b xxxxxx-kafka0.pub.va.eventador.io:9092 | wc -l
88

If this command returns ‘timed-out’ it’s unable to connect. Otherwise, you should see an number result. To find your Kafka broker list select your deployment, then select the ‘connections’ tab.

It’s worth noting this must be done for each of your deployments. Each deployment is covered by it’s own ranges. Removing ACL entries is as simple as selecting the delete button to the right of the entry. This will remove the IP range from the ACL and it’s access denied. It’s good practice to periodically audit these entries to make sure you are still using them.

Of course if you have any trouble with setting ACL’s on your deployment you can always ping support at any time and we will get your fixed right up.