Skip to content

Kafka Security Configuration#

FastStream Kafka Security#

This chapter discusses the security options available in FastStream and how to use them.

Security Objects#

FastStream allows you to enhance the security of applications by using security objects when creating brokers. These security objects encapsulate security-related configurations and mechanisms. Security objects supported in FastStream are (More are planned in the future such as SASL OAuth):

1. BaseSecurity Object#

Purpose: The BaseSecurity object wraps ssl.SSLContext object and is used to enable SSL/TLS encryption for secure communication between FastStream services and external components such as message brokers.

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
import ssl

from faststream import FastStream
from faststream.kafka import KafkaBroker
from faststream.security import BaseSecurity

ssl_context = ssl.create_default_context()
security = BaseSecurity(ssl_context=ssl_context)

broker = KafkaBroker("localhost:9092", security=security)
app = FastStream(broker)

2. SASLPlaintext Object with SSL/TLS#

Purpose: The SASLPlaintext object is used for authentication in SASL (Simple Authentication and Security Layer) plaintext mode. It allows you to provide a username and password for authentication.

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
import ssl

from faststream import FastStream
from faststream.kafka import KafkaBroker
from faststream.security import SASLPlaintext

ssl_context = ssl.create_default_context()
security = SASLPlaintext(ssl_context=ssl_context, username="admin", password="password")

broker = KafkaBroker("localhost:9092", security=security)
app = FastStream(broker)

Using any SASL authentication without SSL:

The following example should raise a RuntimeException:

1
        SASLPlaintext(username="admin", password="password") # pragma: allowlist secret

If the user does not want to use SSL encryption, they must explicitly set the use_ssl parameter to False when creating a SASL object.

1
    SASLPlaintext(username="admin", password="password", use_ssl=False) # pragma: allowlist secret

3. SASLScram256/512 Object with SSL/TLS#

Purpose: The SASLScram256 and SASLScram512 objects are used for authentication using the Salted Challenge Response Authentication Mechanism (SCRAM).

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
import ssl

from faststream import FastStream
from faststream.kafka import KafkaBroker
from faststream.security import SASLScram256

ssl_context = ssl.create_default_context()
security = SASLScram256(ssl_context=ssl_context, username="admin", password="password")

broker = KafkaBroker("localhost:9092", security=security)
app = FastStream(broker)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
import ssl

from faststream import FastStream
from faststream.kafka import KafkaBroker
from faststream.security import SASLScram512

ssl_context = ssl.create_default_context()
security = SASLScram512(ssl_context=ssl_context, username="admin", password="password")

broker = KafkaBroker("localhost:9092", security=security)
app = FastStream(broker)
Last update: 2023-10-17