Kafka Security: ACLs—Whitelisting Your Clients

December 22, 2016 in Streaming Tutorials

Kafka Security: ACLs—Whitelisting Your Clients
Eventador Blog | Kafka Security: ACLs—Whitelisting Your Clients

Every Kafka deployment on Eventador has an associated access control list (ACL). The ACL defines what IP addresses are whitelisted and allowed access to produce and consume to and from your deployment. In fact, there are no entries at deploy time, thus access is completely denied. In order to use our service you must first grant the IP address of your client access by adding an entry for it to the ACL. Here is how you do it.

Assuming you have already created a deployment, your next step is to allow access to it.

Log into the Eventador console, click on your deployment name. Then select the ‘security’ tab. Assuming you don’t yet have any ACL entries you will be presented with this message:

Select the ‘Add ACL’ button. Then you will see a dialog like this:

At this point you need to make a decision about what IP address or IP address range to add. If you are simply adding the machine you are currently on for testing purposes just add it’s address. You can find your IP address like this:

curl -4 ifconfig.co

Enter the IP address it returns into the CIDR mask input field, be sure to add a /24 on the end for just the IP you specify. You can specify address ranges according to CIDR notation. As you add entries, they are added to the ACL. This whitelists these ranges for access to every endpoint associated with your deployment. Your Kafka brokers, zookeepers, the Eventador Notebook, and PipelineDB are all covered by this same whitelist.

As you build up your ACL it will look similar to this:

After adding an entry, you will be able to test the endpoints to ensure you have access. The easiest way to do this is to use something like kafkacat to ping your kafka brokers.

kafkacat -L -b xxxxxx-kafka0.pub.va.eventador.io:9092 | wc -l

If this command returns ‘timed-out’ it’s unable to connect. Otherwise, you should see a number result. To find your Kafka broker list select your deployment, then select the ‘connections’ tab.

It’s worth noting this must be done for each of your deployments. Each deployment is covered by its own ranges. Removing ACL entries is as simple as selecting the delete button to the right of the entry. This will remove the IP range from the ACL and its access denied. It’s good practice to periodically audit these entries to make sure you are still using them.

Of course if you have any trouble with setting ACL’s on your deployment you can always ping support at any time and we will get your fixed right up.

Leave a Reply

Your email address will not be published. Required fields are marked *