Skip to content

FastStream Kafka Security#

This chapter discusses the security options available in FastStream and how to use them.

Security Objects#

FastStream allows you to enhance the security of applications by using security objects when creating brokers. These security objects encapsulate security-related configurations and mechanisms. Security objects supported in FastStream are (More are planned in the future such as SASL OAuth):

1. BaseSecurity Object#

Purpose: The BaseSecurity object wraps ssl.SSLContext object and is used to enable SSL/TLS encryption for secure communication between FastStream services and external components such as message brokers.

Usage:

1
2
3
4
5
6
7
8
9
import ssl

from faststream.kafka import KafkaBroker
from faststream.security import BaseSecurity

ssl_context = ssl.create_default_context()
security = BaseSecurity(ssl_context=ssl_context)

broker = KafkaBroker("localhost:9092", security=security)

2. SASLPlaintext Object with SSL/TLS#

Purpose: The SASLPlaintext object is used for authentication in SASL (Simple Authentication and Security Layer) plaintext mode. It allows you to provide a username and password for authentication.

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
import ssl

from faststream.kafka import KafkaBroker
from faststream.security import SASLPlaintext

ssl_context = ssl.create_default_context()
security = SASLPlaintext(
    ssl_context=ssl_context,
    username="admin",
    password="password", 
)

broker = KafkaBroker("localhost:9092", security=security)

3. SASLScram256/512 Object with SSL/TLS#

Purpose: The SASLScram256 and SASLScram512 objects are used for authentication using the Salted Challenge Response Authentication Mechanism (SCRAM).

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
import ssl

from faststream.kafka import KafkaBroker
from faststream.security import SASLScram256

ssl_context = ssl.create_default_context()
security = SASLScram256(
    ssl_context=ssl_context,
    username="admin",
    password="password", 
)

broker = KafkaBroker("localhost:9092", security=security)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
import ssl

from faststream.kafka import KafkaBroker
from faststream.security import SASLScram512

ssl_context = ssl.create_default_context()
security = SASLScram512(
    ssl_context=ssl_context,
    username="admin",
    password="password", 
)

broker = KafkaBroker("localhost:9092", security=security)

4. SASLOAuthBearer Object with SSL/TLS#

Purpose: The SASLOAuthBearer is used for authentication using the OAUTHBEARER sasl_mechanism. You'll likely need to provide your own sasl_oauth_token_provider to the KafkaBroker object in order to complete the authentication flow, such as AWS's aws-msk-iam-sasl-signer-python. For more information see AIOKafka's documentation on AbstractTokenProvider.

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
import ssl

from faststream.kafka import KafkaBroker
from faststream.security import SASLOAuthBearer

ssl_context = ssl.create_default_context()
security = SASLOAuthBearer(
    use_ssl=True,
    ssl_context=ssl_context
)

broker = KafkaBroker(
    "localhost:9092",
    security=security,
    sasl_oauth_token_provider=...
)

5. SASLGSSAPI Object with SSL/TLS#

Purpose: The SASLGSSAPI object is used for authentication using Kerberos.

Usage:

1
2
3
4
5
6
7
8
9
import ssl

from faststream.kafka import KafkaBroker
from faststream.security import SASLGSSAPI

ssl_context = ssl.create_default_context()
security = SASLGSSAPI(ssl_context=ssl_context)

broker = KafkaBroker("localhost:9092", security=security)