Skip to content

FastStream Kafka Security#

This chapter discusses the security options available in FastStream and how to use them.

Security Objects#

FastStream allows you to enhance the security of applications by using security objects when creating brokers. These security objects encapsulate security-related configurations and mechanisms. Security objects supported in FastStream are (More are planned in the future such as SASL OAuth):

1. BaseSecurity Object#

Purpose: The BaseSecurity object wraps ssl.SSLContext object and is used to enable SSL/TLS encryption for secure communication between FastStream services and external components such as message brokers.

Usage:

1
2
3
4
5
6
7
8
9
import ssl

from faststream.confluent import KafkaBroker
from faststream.security import BaseSecurity

ssl_context = ssl.create_default_context()
security = BaseSecurity(ssl_context=ssl_context)

broker = KafkaBroker("localhost:9092", security=security)

2. SASLPlaintext Object with SSL/TLS#

Purpose: The SASLPlaintext object is used for authentication in SASL (Simple Authentication and Security Layer) plaintext mode. It allows you to provide a username and password for authentication.

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
import ssl

from faststream.confluent import KafkaBroker
from faststream.security import SASLPlaintext

ssl_context = ssl.create_default_context()
security = SASLPlaintext(
    ssl_context=ssl_context,
    username="admin",
    password="password", 
)

broker = KafkaBroker("localhost:9092", security=security)

Using any SASL authentication without SSL:

The following example will log a RuntimeWarning:

1
SASLPlaintext(username="admin", password="password")

If the user does not want to use SSL encryption without the warning getting logged, they must explicitly set the use_ssl parameter to False when creating a SASL object.

1
SASLPlaintext(username="admin", password="password", use_ssl=False)

3. SASLScram256/512 Object with SSL/TLS#

Purpose: The SASLScram256 and SASLScram512 objects are used for authentication using the Salted Challenge Response Authentication Mechanism (SCRAM).

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
import ssl

from faststream.confluent import KafkaBroker
from faststream.security import SASLScram256

ssl_context = ssl.create_default_context()
security = SASLScram256(
    ssl_context=ssl_context,
    username="admin",
    password="password", 
)

broker = KafkaBroker("localhost:9092", security=security)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
import ssl

from faststream.confluent import KafkaBroker
from faststream.security import SASLScram512

ssl_context = ssl.create_default_context()
security = SASLScram512(
    ssl_context=ssl_context,
    username="admin",
    password="password", 
)

broker = KafkaBroker("localhost:9092", security=security)