Skip to content

FastStream Kafka Security#

This chapter discusses the security options available in FastStream and how to use them.

Security Objects#

FastStream allows you to enhance the security of applications by using security objects when creating brokers. These security objects encapsulate security-related configurations and mechanisms. Security objects supported in FastStream are (More are planned in the future such as SASL OAuth):

1. BaseSecurity Object#

Purpose: The BaseSecurity object wraps ssl.SSLContext object and is used to enable SSL/TLS encryption for secure communication between FastStream services and external components such as message brokers.

Usage:

1
2
3
4
5
6
from faststream.confluent import KafkaBroker
from faststream.security import BaseSecurity

security = BaseSecurity(use_ssl=True)

broker = KafkaBroker("localhost:9092", security=security)

2. SASLPlaintext Object with SSL/TLS#

Purpose: The SASLPlaintext object is used for authentication in SASL (Simple Authentication and Security Layer) plaintext mode. It allows you to provide a username and password for authentication.

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
from faststream.confluent import KafkaBroker
from faststream.security import SASLPlaintext

security = SASLPlaintext(
    username="admin",
    password="password",  # pragma: allowlist secret
    use_ssl=True,
)

broker = KafkaBroker("localhost:9092", security=security)

3. SASLScram256/512 Object with SSL/TLS#

Purpose: The SASLScram256 and SASLScram512 objects are used for authentication using the Salted Challenge Response Authentication Mechanism (SCRAM).

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
from faststream.confluent import KafkaBroker
from faststream.security import SASLScram256

security = SASLScram256(
    username="admin",
    password="password", 
    use_ssl=True,
)

broker = KafkaBroker("localhost:9092", security=security)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
from faststream.confluent import KafkaBroker
from faststream.security import SASLScram512

security = SASLScram512(
    username="admin",
    password="password", 
    use_ssl=True,
)

broker = KafkaBroker("localhost:9092", security=security)

4. SASLOAuthBearer Object with SSL/TLS#

Purpose: The SASLOAuthBearer is used for authentication using the Oauth sasl.mechanism. While using it you additionally need to provide necessary sasl.oauthbearer.* values in config and provide it to KafkaBroker, eg. sasl.oauthbearer.client.id, sasl.oauthbearer.client.secret. Full list is available in the confluent doc

Usage:

1
2
3
4
5
6
7
8
from faststream.confluent import KafkaBroker
from faststream.security import SASLOAuthBearer

security = SASLOAuthBearer(
    use_ssl=True,
)

broker = KafkaBroker("localhost:9092", security=security)

5. SASLGSSAPI Object with SSL/TLS#

Purpose: The SASLGSSAPI object is used for authentication using Kerberos.

Usage:

1
2
3
4
5
6
7
8
import ssl

from faststream.confluent import KafkaBroker
from faststream.security import SASLGSSAPI

security = SASLGSSAPI(use_ssl=True,)

broker = KafkaBroker("localhost:9092", security=security)

Purpose: If you want to pass additional values to confluent-kafka-python, you can pass a dictionary called config to KafkaBroker. For example, to pass your own certificate file:

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
from faststream.confluent import KafkaBroker
from faststream.security import SASLPlaintext

security = SASLPlaintext(
    username="admin",
    password="password",
)

config = {"ssl.ca.location": "~/my_certs/CRT_cacerts.pem"}

broker = KafkaBroker("localhost:9092", security=security, config=config)