페이지

2024년 7월 12일 금요일

Authentication in Kafka

1. Authentication in Kafka ensures that only clients thats can prove their identity can connect to our Kafka Cluster

2. This is similar concept to a login (username / password)

3. Authentication in Kafka can take a few forms

4. SSL Authentication: clients authenticate to Kafka using SSL certificates

5. SASL Authentication:
    - PLAIN: clients authenticate using username / password (weak - easy to setup)
    - Kerberos: such as Microsoft Active Directory (strong - hard to setup)
    - SCRAM: username / password (strong - medium to setup)

6. Once a client is authenticated, Kafka can verify its identity

7. It still needs to be combined with authorisatioin, so that Kafka knows that
    - "User alice can view topic finace"
    - "User bob cannot view topic trucks"

8. ACL(Access Control Lists) have to be maintained by administration and onboard new users




Encryption in Kafka

1. Encryption in Kafka ensures that the data exchanged between clients and brokers is secret to routers on the way

2. This is similar concept to an https website




The need for encryption, authentication & nauthorization in Kafka

 1. Currently, any client can access your Kafka cluster (authentication)

2. The clients can publish / consume any topic data (authorisation)

3. All the data being sent is fully visible on the network (encryption)


- Someone could intercept data being sent

- Someone could publish bad data / steal data

- Someone could delete topics


- All these reasons push for more security and an authentication mode

Kafka Monitoring and Operations

1. Kafka exposes metrics through JMX.

2. These metrics are highly important for monitoring Kafka, and ensuring the systems are behaving correctly under load.

3. Common places to host the Kafka metrics:

    - ELK(ElasticSearch _ Kibana)

    - Datadog

    - NewRelic

    - Confluent Control Centre

    - Promotheus

    - Many others...!


4. Some of the most important metrics are:


5. Under Replicated Partitions: Number of partitions are have problems with the ISR (in-sync replicas). May indicate a high load on the system


6. Request Handlers: utilization of threads for IO, network, etc... overall utilization of an Apache Kafka broker.


7. Request timing: how long it takes to reply to requests. Lower is better, as latency will be improved.


8. Overall have a look at the documentation here:

- https://kafka.apache.org/documentation/#monitoring

- https://docs.confluent.io/current/kafka/monitoring.html

- https://www.datadoghq.com/blog/monitoring-kafka-performance-metrics/


9. Kafka Operations team must be able to perform the following tasks:

    - Rolling restart of Brokers

    - Updating Configurations

    - Rebalancing Partitions

    - Increasing replication factor

    - Adding a Broker

    - Replacing a Broker

    - Removing a Broker

    - Upgrading a Kafka Cluster with zero downtime






Kafka Cluster Setup Gotchas

1. It's not easy to setup a cluster

2. You want to isolate each Zookeeper & Broker on separate servers

3. Monitoring needs to be implemented

4. Operations have to be mastered

5. You need a really good Kafka Admin


- Alternative: main different "Kafka as a Service" offerings on the web

- No operational burdens (upates, monitoring, setup, etc...)



2024년 7월 10일 수요일

Kafka Cluster Setup High Level Architecture

 1. You want multiple brokers in different data centers (racks) to distribute your load. You also want a cluster of at least 3 zookeeper

2. In AWS: