SlideShare une entreprise Scribd logo

Securing kafka with 500 billion messages a day

Y
Yanlin (Thomas) Zhou

Silicon Valley Code Camp 2019 Slides

Technologie
1  sur  47
Télécharger pour lire hors ligne
Securing Kafka at PayPal with 500 Billion Messages a Day
Agenda © 2019 PayPal Inc. Confidential and proprietary. Kafka @ PayPal Today TLS on Kafka Overview Enabling mTLS Authentication Future Work Conclusion
Kafka @ PayPal Today © 2019 PayPal Inc. Confidential and proprietary. Overview 500+ Billion messages per day 50+ Clusters ~7PB Disk 5000+ Topics 0.9 0.10 1.10.8Kafka Journey 2.2
Kafka @ PayPal Today © 2019 PayPal Inc. Confidential and proprietary. Tech stack Language s Gimel Application Frameworks Multi-Tenant Multiple Security & Availability Zones
Data Pipelines © 2019 PayPal Inc. Confidential and proprietary. Use Cases User behavioral tracking Experimental Merchant monitoring Risk & compliance Business Events Application logs Application metrics Gimel Frameworks & Platforms Real-Time Streaming Batch Processing Kafka
Enabling mTLS
SSL & TLS Terminology • SSL Key • SSL Certificate • CA • Trusted CAs © 2019 PayPal Inc. Confidential and proprietary.
TLS Introduction Encryption and Authenticating using SSL in Open Source Kafka • Generate SSL Key and Certs • Create CA • Sign the certificates • Configure Kafka Properties © 2019 PayPal Inc. Confidential and proprietary.
© 2019 PayPal Inc. Confidential and proprietary. keytool -keystore server.keystore.jks -alias localhost -validity {validity} -genkey -keyalg RSA openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days {validity} -CAcreateserial -passin pass:{ca- password} keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed CLI Commands
KeyStore & TrustStore © 2019 PayPal Inc. Confidential and proprietary. KeyStore TrustStore
Configuration Sample Broker Configurations listeners=PLAINTEXT://host.name:port,SSL://host.name:port ssl.keystore.location=/var/private/ssl/server.keystore.jks ssl.keystore.password=test1234 [Optional] ssl.key.password=test1234 ssl.truststore.location=/var/private/ssl/server.truststore.jks ssl.truststore.password=test1234 [Optional] © 2019 PayPal Inc. Confidential and proprietary.
Configuration Sample Client Configuration security.protocol=SSL ssl.truststore.location=/var/private/ssl/client.truststore.jks ssl.truststore.password=test1234 [Optional] [Optional with mTLS] ssl.keystore.location=/var/private/ssl/client.keystore.jks ssl.keystore.password=test1234 [Optional] ssl.key.password=test1234 © 2019 PayPal Inc. Confidential and proprietary.
© 2019 PayPal Inc. Confidential and proprietary. Kafka Broker File-Based KeyStore Client Application Server Authentication File-Based TrustStore TLS with One-way Auth
© 2019 PayPal Inc. Confidential and proprietary. Kafka Broker File-Based KeyStore Client Application Server Authentication File-Based TrustStore File-Based TrustStore File-Based KeyStore Client Authentication TLS with Mutual Auth
Challenges to enable Kafka TLS @ PayPal InfoSec/AppSec Restrictions • File-based security material/credentials are not allowed • Regular key rotations Scalability • Deploying the key/trust store files to the thousands of brokers • Deploying the key/trust store files to 10x/100x Kafka Client boxes • Keep all those key/trust store files and their passwords secure • Lack of unified way to distribute KeyStore and TrustStore for different languages © 2019 PayPal Inc. Confidential and proprietary.
PayPal’s Key Management Service In-house Key Management Service [Like Vault / AWS KMS] • A company internal CA authority issuing the certificates • Rotate the Keys © 2019 PayPal Inc. Confidential and proprietary.
Work Flow without SSL in PayPal © 2019 PayPal Inc. Confidential and proprietary. Kafka Client Kafka Client Config Service Config Service Send Topic Config Request Return Topic Config: {Topic1: Bootstrap Servers, client configs Topic 2: Bootstrap Servers, client configs } Connect to Kafka Broker
Solutions: Kafka Source Code Change – Client & Broker Change Kafka Source Code to allow KeyStore/TrustStore plug-in • Provide KeyStoreLoader & TrustStoreLoader Interface for customized KeyStore and TrustStore Loading © 2019 PayPal Inc. Confidential and proprietary.
Work Flow with SSL in PayPal © 2019 PayPal Inc. Confidential and proprietary. Kafka Client Kafka Client Config Service Config Service Send Topic Config Request Return Topic Config Connect to Kafka Broker KMS KMS Send Key/Trust Store Request Get KeyStore and TrustStore
Configuration Sample with Custom Key/Trust Store Broker Configurations listeners=SSL://host.name:port ssl.keystore.loader=com.paypal.kafka.broker.KeyStoreLoaderImpl ssl.keystore.location= ssl.keystore.password= ssl.key.password= ssl.truststore.loader=com.paypal.kafka.broker.TrustStoreLoaderImpl ssl.truststore.location= ssl.truststore.password= © 2019 PayPal Inc. Confidential and proprietary.
Client Configurations security.protocol=SSL ssl.truststore.loader= com.paypal.kafka.client.TrustStoreLoaderImpl ssl.keystore.location= ssl.keystore.password= ssl.key.password= [Optional with mTLS] ssl.keystore.loader=com.paypal.kafka.client.KeyStoreLoaderImpl ssl.truststore.location= ssl.truststore.password= © 2019 PayPal Inc. Confidential and proprietary. Configuration Sample with Custom Key/Trust Store
Kafka Improvement Proposal KIP-486 – Support custom way to load key and trust stores (Work-In-Progress) KIP-519 – Make SSL context/engine configuration extensible (Work-In-Progress) © 2019 PayPal Inc. Confidential and proprietary.
Kafka SASL Authentication
Authentication MTLS SASL • GSSAPI (Kerberos) • SCRAM • Delegation Tokens • PLAIN • OAUTHBEARER Authentication Overview © 2019 PayPal Inc. Confidential and proprietary.
Authentication KIP-12 - Kafka Sasl/Kerberos and SSL implementation • 0.9.0.0 KIP-85: Dynamic JAAS configuration for Kafka clients • 0.10.2.0 KIP-86: Configurable SASL callback handlers • 2.0.0 KIP-255: OAuth Authentication via SASL/OAUTHBEARER • 2.0.0 KIP 368: Allow SASL Connections to Periodically Re-Authenticate • 2.2.0 Authentication Overview – evolution © 2019 PayPal Inc. Confidential and proprietary.
Authentication KafkaClient (Procuder/Consumer) KafkaChannel Authenticator Authentication Overview – Auth Components © 2019 PayPal Inc. Confidential and proprietary. Kafka (Server) KafkaServer Processor Authenticator KafkaRequestHandler KafkaApis Authorizer
Authentication sasl.login.class LoginModule sasl.login.callback.handler.class sasl.client.callback.handler.class sasl.server.callback.handler.class principal.builder.class Authentication Overview - Pluggable Components © 2019 PayPal Inc. Confidential and proprietary.
Authentication KafkaClient LoginManager.acquireLoginManager DefaultLogin.login() LoginContext.login() LoginModule .configure() .login() AuthenticateCallbackHandler.handle(Callback) .commit() Set Credentials to Subject KafkaChannel.prepare() Authenticator.authenticate sendSaslClientToken SaslClient.evaluateChallenge AuthenticateCallbackHandler.handle(Callback) retrieve Credentials from Subject Authentication Overview – Client Auth Pluggable Components © 2019 PayPal Inc. Confidential and proprietary. <- sasl.login.class <- KafkaClient Jaas config <- sasl.login.callback.handler.class <- sasl.client.callback.handler.class
Authentication Kafka Server LoginManager.acquireLoginManager DefaultLogin.login() LoginContext.login() LoginModule .configure() .login() AuthenticateCallbackHandler.handle(Callback) .commit() Processor(1).run() poll() KafkaChannel.prepare() SaslServerAuthenticator.authenticate … AuthenticateCallbackHandler.handle(Callback) validate() Authentication Overview - Server Auth Pluggable Components © 2019 PayPal Inc. Confidential and proprietary. <- sasl.login.class <- KafkaServer jaas config <- sasl.login.callback.handler.class <- sasl.server.callback.handler.class
Authentication … LoginManager.acquireLoginManager DefaultLogin.login() LoginContext.login() LoginModule .configure() .login() AuthenticateCallbackHandler.handle(Callback) .commit() … Authentication Overview – Pluggable Components © 2019 PayPal Inc. Confidential and proprietary. <- sasl.login.class <- KafkaClient Jaas config <- sasl.login.callback.handler.class
Authentication sasl.login.class • An implementation of org.apache.kafka.common.security.auth.Login that performs login for each LoginModule specified through login context. • LoginManager initializes Login class by passing appropriate login handler configured through sasl.login.callback.handler.class • In most cases out of box Login Implementations are sufficient. DefaultLogin, KerberosLogin, OAuthBearerRefreshingLogin • Applicable to client and server Authentication Overview - Pluggable Components © 2019 PayPal Inc. Confidential and proprietary.
Authentication … LoginManager.acquireLoginManager DefaultLogin.login() LoginContext.login() LoginModule .configure() .login() AuthenticateCallbackHandler.handle(Callback) .commit() … Authentication Overview – Pluggable Components © 2019 PayPal Inc. Confidential and proprietary. <- sasl.login.class <- KafkaClient/KafkaServer Jaas config <- sasl.login.callback.handler.class
Authentication LoginModule • Interface to implement SASL specific Authentication • Java security LoginContext invokes LoginModule to perform implementation specific Authentication and initializes public and private credentials for a Subject • LoginModule should be provided in jaas config format • KIP-86 enables clients to load jaas config dynamically, As a jvm parameter export KAFKA_OPTS="-Djava.security.auth.login.config=$KAFKA_HOME/config/kafka_server_jaas.conf” Through Configuration property sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required • In most cases out of box LoginModule implementations are sufficient for each type of authentication. OAuthBearerLoginModule, PlainLoginModule, ScramLoginModule, Krb5LoginModule • Applicable to client and server Authentication Overview - Pluggable Components © 2019 PayPal Inc. Confidential and proprietary.
Authentication … LoginManager.acquireLoginManager DefaultLogin.login() LoginContext.login() LoginModule .configure() .login() AuthenticateCallbackHandler.handle(Callback) .commit() … Authentication Overview – Pluggable Components © 2019 PayPal Inc. Confidential and proprietary. <- sasl.login.class <- KafkaClient/KafkaServer Jaas config <- sasl.login.callback.handler.class
Authentication sasl.login.callback.handler.class • An implementation of AuthenticateCallbackHandler that should retrieve credentials from external services and set it to Callback, these credentials are used by LoginModule to set private and public credentials on the Subject. • For Production use cases DON’T use default handlers, it is recommended to write custom implementation of AuthenticateCallbackHandler compatible to respective SASL mechanisms LoginModule. • Out of box Handlers are • OAuthBearerUnsecuredLoginCallbackHandler, DefaultLoginCallbackHandler • Applicable to client and server Authentication Overview - Pluggable Components © 2019 PayPal Inc. Confidential and proprietary.
Authentication KafkaClient LoginManager.acquireLoginManager DefaultLogin.login() LoginContext.login() LoginModule .configure() .login() AuthenticateCallbackHandler.handle(Callback) .commit() KafkaChannel.prepare() Authenticator.authenticate sendSaslClientToken SaslClient.evaluateChallenge AuthenticateCallbackHandler.handle(Callback) Authentication Overview – Pluggable Components © 2019 PayPal Inc. Confidential and proprietary. <- sasl.login.class <- KafkaClient Jaas config <- sasl.login.callback.handler.class <- sasl.client.callback.handler.class
Authentication sasl.client.callback.handler.class • An implementation of AuthenticateCallbackHandler that should retrieve credentials from Subject that were created during LoginModule.login() and return it to Authenticator. • In most cases out of box Handlers are sufficient • SaslClientCallbackHandler, OAuthBearerSaslClientCallbackHandler, KerberosClientCallbackHandler • Applicable to client Authentication Overview - Pluggable Components © 2019 PayPal Inc. Confidential and proprietary.
Authentication Kafka Server LoginManager.acquireLoginManager DefaultLogin.login() LoginContext.login() LoginModule .configure() .login() AuthenticateCallbackHandler.handle(Callback) .commit() Processor(1).run() poll() KafkaChannel.prepare() SaslServerAuthenticator.authenticate … AuthenticateCallbackHandler.handle(Callback) Authentication Overview - Server Auth Pluggable Components © 2019 PayPal Inc. Confidential and proprietary. <- sasl.login.class <- KafkaServer jaas config <- sasl.login.callback.handler.class <- sasl.server.callback.handler.class
Authentication sasl.server.callback.handler.class • An implementation of AuthenticateCallbackHandler that should validate credentials passed by client through external service or by some means. • If you are using Plan or Oauth SASL mechanisum it is recommended to write custom implementation of AuthenticateCallbackHandler to validate credentials. • Out of box Handlers are • SaslServerCallbackHandler, OAuthBearerUnsecuredValidatorCallbackHandler, PlainServerCallbackHandler, ScramServerCallbackHandler Authentication Overview - Pluggable Components © 2019 PayPal Inc. Confidential and proprietary.
Kafka Security at PayPal - OAUTHBEARER
OAuth Authentication at PayPal © 2019 PayPal Inc. Confidential and proprietary. Kafka Client Request Access to Kafka KMS Kafka KafkaKMSKafka Client Creates a JWS token with Kafka Public Key Get Access Token Validate User Encrypted JWS token Authenticate(JWS token) Decrypt JWS token and extract Principal and Scopes OfflineOnline
Authentication Kafka Security at PayPal - OAUTHBEARER © 2019 PayPal Inc. Confidential and proprietary. 1. Broker Loading Keymaterial (PayPalServerLoginCallbackHandler) 1. On startup it authenticates with KMS 2. Loads required key material from KMS that is required to decrypt jws token provided by client. 2. Get Client Access Token (PayPalClientLoginCallbackHandler) 1. On startup it authenticates with KMS 2. Loads jws token 3. Set the token to Channel Subject Public and Private Credentials 3. Authenticate Client (PayPalServerTokenValidatorCallbackHandler) 1. SASL Authenticator uses Client Callback handler to retrieve credentials from Channel Subject 2. Pass it to Server for Authentication, 3. Server Callback handler receives the request for validation 4. It uses the private key to decrypt the token and extract the principal & scopes 5. Update this information to Channel Subject public and private credentials for later use by Principal extractor to Authorizing the resource.
Authentication Kafka Security at PayPal - OAUTHBEARER © 2019 PayPal Inc. Confidential and proprietary. sasl.login.class: OAuthBearerRefreshingLogin LoginModule: OAuthBearerLoginModule sasl.login.callback.handler.class: PayPalClientLoginCallbackHandler, PayPalServerLoginCallbackHandler sasl.client.callback.handler.class: OAuthBearerSaslClientCallbackHandler sasl.server.callback.handler.class: PayPalServerTokenValidatorCallbackHandler principal.builder.class: DefaultKafkaPrincipalBuilder
Authentication Kafka Security at PayPal © 2019 PayPal Inc. Confidential and proprietary. Connectio n Service Definition 1,4 Kafka SSL + SASL OAuth 2 Kafka SSL 3 ZK SASL:DIGEST -MD5 6 ZK Admin ports for follower if this instance is Leader 7 ZK Admin ports for Leader election
Future Work © 2019 PayPal Inc. Confidential and proprietary. • Automating ACL management
Conclusion © 2019 PayPal Inc. Confidential and proprietary.
Thank you!

Recommandé

Deep Dive on Amazon Managed Blockchain
Deep Dive on Amazon Managed BlockchainDeep Dive on Amazon Managed Blockchain
Deep Dive on Amazon Managed BlockchainAmazon Web Services
 
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSSecure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSHostedbyConfluent
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CAAmazon Web Services
 
Crafting Consumable APIs
Crafting Consumable APIsCrafting Consumable APIs
Crafting Consumable APIsWSO2
 
Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...
Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...
Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...Amazon Web Services
 
Consul: Service Mesh for Microservices
Consul: Service Mesh for MicroservicesConsul: Service Mesh for Microservices
Consul: Service Mesh for MicroservicesArmonDadgar
 
DEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudDEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudAmazon Web Services
 
EKS Workshop
EKS Workshop EKS Workshop
EKS WorkshopAWS Germany
 

Recommandé

Deep Dive on Amazon Managed Blockchain
Deep Dive on Amazon Managed BlockchainDeep Dive on Amazon Managed Blockchain
Deep Dive on Amazon Managed BlockchainAmazon Web Services
 
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSSecure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSHostedbyConfluent
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CAAmazon Web Services
 
Crafting Consumable APIs
Crafting Consumable APIsCrafting Consumable APIs
Crafting Consumable APIsWSO2
 
Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...
Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...
Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...Amazon Web Services
 
Consul: Service Mesh for Microservices
Consul: Service Mesh for MicroservicesConsul: Service Mesh for Microservices
Consul: Service Mesh for MicroservicesArmonDadgar
 
DEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudDEM14 Extending the Cisco SD-WAN Fabric to the AWS Cloud
DEM14 Extending the Cisco SD-WAN Fabric to the AWS CloudAmazon Web Services
 
EKS Workshop
EKS Workshop EKS Workshop
EKS WorkshopAWS Germany
 
Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure IntegrationAmazon Web Services
 
muCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsmuCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsChris Munns
 
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...Amazon Web Services
 
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksCloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksAmazon Web Services
 
Sessão Avançada: VMware Cloud na AWS - ENT204 - Sao Paulo Summit
Sessão Avançada: VMware Cloud na AWS - ENT204 - Sao Paulo SummitSessão Avançada: VMware Cloud na AWS - ENT204 - Sao Paulo Summit
Sessão Avançada: VMware Cloud na AWS - ENT204 - Sao Paulo SummitAmazon Web Services
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKSAmazon Web Services
 
AWS ELEMENTAL MEDIA SERVICES UPDATE
AWS ELEMENTAL MEDIA SERVICES UPDATEAWS ELEMENTAL MEDIA SERVICES UPDATE
AWS ELEMENTAL MEDIA SERVICES UPDATEAmazon Web Services Japan
 
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitExecutando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitAmazon Web Services
 
Highly secure content delivery at global scale with amazon cloudfront
Highly secure content delivery at global scale with amazon cloudfrontHighly secure content delivery at global scale with amazon cloudfront
Highly secure content delivery at global scale with amazon cloudfrontAmazon Web Services
 
Don’t Sacrifice Performance for Security: Best Practices for Content Delivery
Don’t Sacrifice Performance for Security: Best Practices for Content Delivery Don’t Sacrifice Performance for Security: Best Practices for Content Delivery
Don’t Sacrifice Performance for Security: Best Practices for Content Delivery Amazon Web Services
 
Deep Dive on Serverless Application Development
Deep Dive on Serverless Application DevelopmentDeep Dive on Serverless Application Development
Deep Dive on Serverless Application DevelopmentAmazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksAmazon Web Services
 
Introduzione ad Amazon EKS
Introduzione ad Amazon EKSIntroduzione ad Amazon EKS
Introduzione ad Amazon EKSAmazon Web Services
 
What’s new in serverless - re:Invent 2020
What’s new in serverless - re:Invent 2020What’s new in serverless - re:Invent 2020
What’s new in serverless - re:Invent 2020AWS Chicago
 
Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure IntegrationAmazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access ServicesAmazon Web Services
 
Airbnb가 직접 들려주는 Kubernetes 환경 구축 이야기 - Melanie Cebula 소프트웨어 엔지니어, Airbnb :: A...
Airbnb가 직접 들려주는 Kubernetes 환경 구축 이야기 - Melanie Cebula 소프트웨어 엔지니어, Airbnb :: A...Airbnb가 직접 들려주는 Kubernetes 환경 구축 이야기 - Melanie Cebula 소프트웨어 엔지니어, Airbnb :: A...
Airbnb가 직접 들려주는 Kubernetes 환경 구축 이야기 - Melanie Cebula 소프트웨어 엔지니어, Airbnb :: A...Amazon Web Services Korea
 
Kubernetes Networking in Amazon EKS (CON412) - AWS re:Invent 2018
Kubernetes Networking in Amazon EKS (CON412) - AWS re:Invent 2018Kubernetes Networking in Amazon EKS (CON412) - AWS re:Invent 2018
Kubernetes Networking in Amazon EKS (CON412) - AWS re:Invent 2018Amazon Web Services
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WaySaylor Twift
 

Contenu connexe

Tendances

Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure IntegrationAmazon Web Services
 
muCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsmuCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsChris Munns
 
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...Amazon Web Services
 
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksCloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksAmazon Web Services
 
Sessão Avançada: VMware Cloud na AWS - ENT204 - Sao Paulo Summit
Sessão Avançada: VMware Cloud na AWS - ENT204 - Sao Paulo SummitSessão Avançada: VMware Cloud na AWS - ENT204 - Sao Paulo Summit
Sessão Avançada: VMware Cloud na AWS - ENT204 - Sao Paulo SummitAmazon Web Services
 
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitExecutando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitAmazon Web Services
 
Highly secure content delivery at global scale with amazon cloudfront
Highly secure content delivery at global scale with amazon cloudfrontHighly secure content delivery at global scale with amazon cloudfront
Highly secure content delivery at global scale with amazon cloudfrontAmazon Web Services
 
Don’t Sacrifice Performance for Security: Best Practices for Content Delivery
Don’t Sacrifice Performance for Security: Best Practices for Content Delivery Don’t Sacrifice Performance for Security: Best Practices for Content Delivery
Don’t Sacrifice Performance for Security: Best Practices for Content Delivery Amazon Web Services
 
Deep Dive on Serverless Application Development
Deep Dive on Serverless Application DevelopmentDeep Dive on Serverless Application Development
Deep Dive on Serverless Application DevelopmentAmazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksAmazon Web Services
 
What’s new in serverless - re:Invent 2020
What’s new in serverless - re:Invent 2020What’s new in serverless - re:Invent 2020
What’s new in serverless - re:Invent 2020AWS Chicago
 
Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure IntegrationAmazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access ServicesAmazon Web Services
 
Airbnb가 직접 들려주는 Kubernetes 환경 구축 이야기 - Melanie Cebula 소프트웨어 엔지니어, Airbnb :: A...
Airbnb가 직접 들려주는 Kubernetes 환경 구축 이야기 - Melanie Cebula 소프트웨어 엔지니어, Airbnb :: A...Airbnb가 직접 들려주는 Kubernetes 환경 구축 이야기 - Melanie Cebula 소프트웨어 엔지니어, Airbnb :: A...
Airbnb가 직접 들려주는 Kubernetes 환경 구축 이야기 - Melanie Cebula 소프트웨어 엔지니어, Airbnb :: A...Amazon Web Services Korea
 
Kubernetes Networking in Amazon EKS (CON412) - AWS re:Invent 2018
Kubernetes Networking in Amazon EKS (CON412) - AWS re:Invent 2018Kubernetes Networking in Amazon EKS (CON412) - AWS re:Invent 2018
Kubernetes Networking in Amazon EKS (CON412) - AWS re:Invent 2018Amazon Web Services
 

Tendances (20)

Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure Integration
 
muCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsmuCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless Applications
 
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
AWS Certificate Management and Private Certificate Authority Deep Dive (SEC41...
 
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksCloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
 
Sessão Avançada: VMware Cloud na AWS - ENT204 - Sao Paulo Summit
Sessão Avançada: VMware Cloud na AWS - ENT204 - Sao Paulo SummitSessão Avançada: VMware Cloud na AWS - ENT204 - Sao Paulo Summit
Sessão Avançada: VMware Cloud na AWS - ENT204 - Sao Paulo Summit
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
 
AWS ELEMENTAL MEDIA SERVICES UPDATE
AWS ELEMENTAL MEDIA SERVICES UPDATEAWS ELEMENTAL MEDIA SERVICES UPDATE
AWS ELEMENTAL MEDIA SERVICES UPDATE
 
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo SummitExecutando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
Executando Kubernetes com Amazon EKS - DEV303 - Sao Paulo Summit
 
Highly secure content delivery at global scale with amazon cloudfront
Highly secure content delivery at global scale with amazon cloudfrontHighly secure content delivery at global scale with amazon cloudfront
Highly secure content delivery at global scale with amazon cloudfront
 
Don’t Sacrifice Performance for Security: Best Practices for Content Delivery
Don’t Sacrifice Performance for Security: Best Practices for Content Delivery Don’t Sacrifice Performance for Security: Best Practices for Content Delivery
Don’t Sacrifice Performance for Security: Best Practices for Content Delivery
 
Deep Dive on Serverless Application Development
Deep Dive on Serverless Application DevelopmentDeep Dive on Serverless Application Development
Deep Dive on Serverless Application Development
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
 
Introduzione ad Amazon EKS
Introduzione ad Amazon EKSIntroduzione ad Amazon EKS
Introduzione ad Amazon EKS
 
What’s new in serverless - re:Invent 2020
What’s new in serverless - re:Invent 2020What’s new in serverless - re:Invent 2020
What’s new in serverless - re:Invent 2020
 
Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure Integration
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services
 
Airbnb가 직접 들려주는 Kubernetes 환경 구축 이야기 - Melanie Cebula 소프트웨어 엔지니어, Airbnb :: A...
Airbnb가 직접 들려주는 Kubernetes 환경 구축 이야기 - Melanie Cebula 소프트웨어 엔지니어, Airbnb :: A...Airbnb가 직접 들려주는 Kubernetes 환경 구축 이야기 - Melanie Cebula 소프트웨어 엔지니어, Airbnb :: A...
Airbnb가 직접 들려주는 Kubernetes 환경 구축 이야기 - Melanie Cebula 소프트웨어 엔지니어, Airbnb :: A...
 
Kubernetes Networking in Amazon EKS (CON412) - AWS re:Invent 2018
Kubernetes Networking in Amazon EKS (CON412) - AWS re:Invent 2018Kubernetes Networking in Amazon EKS (CON412) - AWS re:Invent 2018
Kubernetes Networking in Amazon EKS (CON412) - AWS re:Invent 2018
 

Similaire à Securing kafka with 500 billion messages a day

Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WaySaylor Twift
 
Real time dashboards with Kafka and Druid
Real time dashboards with Kafka and DruidReal time dashboards with Kafka and Druid
Real time dashboards with Kafka and DruidVenu Ryali
 
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Amazon Web Services
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 
PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...
PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...
PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...Amazon Web Services
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka SecurityDataWorks Summit
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Amazon Web Services
 
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Amazon Web Services
 
Giving credit where credit’s due - myFICO’s cloud transformation - SVC204 - S...
Giving credit where credit’s due - myFICO’s cloud transformation - SVC204 - S...Giving credit where credit’s due - myFICO’s cloud transformation - SVC204 - S...
Giving credit where credit’s due - myFICO’s cloud transformation - SVC204 - S...Amazon Web Services
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Amazon Web Services
 
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...Amazon Web Services
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWSAmazon Web Services
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWSAmazon Web Services
 
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...Amazon Web Services
 
Keepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCPKeepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCPKeepler Data Tech
 

Similaire à Securing kafka with 500 billion messages a day (20)

Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right Way
 
Real time dashboards with Kafka and Druid
Real time dashboards with Kafka and DruidReal time dashboards with Kafka and Druid
Real time dashboards with Kafka and Druid
 
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safe
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
 
PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...
PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...
PrivateLink for Partners: Connectivity, Scale, Security (GPSTEC306) - AWS re:...
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka Security
 
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
Building PaaS with Amazon EKS for the Large-Scale, Highly Regulated Enterpris...
 
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
Keeping Secrets: Securing Your Data with AWS Cryptography (SEC353-R1) - AWS r...
 
Giving credit where credit’s due - myFICO’s cloud transformation - SVC204 - S...
Giving credit where credit’s due - myFICO’s cloud transformation - SVC204 - S...Giving credit where credit’s due - myFICO’s cloud transformation - SVC204 - S...
Giving credit where credit’s due - myFICO’s cloud transformation - SVC204 - S...
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
 
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...
Using the AWS Encryption SDK for multiple master key encryption - SDD402 - AW...
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWS
 
Secure Content Delivery with AWS
Secure Content Delivery with AWSSecure Content Delivery with AWS
Secure Content Delivery with AWS
 
Securing Spark Applications
Securing Spark ApplicationsSecuring Spark Applications
Securing Spark Applications
 
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
AWS Encryption SDK: The Busy Engineer's Guide to Client-Side Encryption (SEC3...
 
Keepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCPKeepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCP
 

Dernier

Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 

Dernier (20)

Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 

Securing kafka with 500 billion messages a day

Notes de l'éditeur

  1. Before we begin, let us see what everyone’s experience with Kafka is. Can you please raise your hand if you run Kafka right now at any scale. Now keep your hand raised if you process 1 million messages a day. 1 billion. 1 trillion. Okay cool, we’ve got a pretty good mix here. Last question before we move on - How many of you have a ‘Kakfa’ typo in your automation source code for Kafka? Hello everybody. Welcome to our presentation. My name is Maulin and I am here with my colleagues Thomas and Sanat and we are from Kafka team at PayPal. I’m here to talk about challenges we face at PayPal managing multiple geo-distributed Kafka clusters and the solutions we apply.
  2. This is the agenda for this session. We’ll start with some details about Kafka @ PayPal in its present state. Then we will talk about how we enabled TLS and ACLs at PayPal and share some performance numbers related to the same. Finally we will conclude with highlighting some of the cool and challenging things we are working on.
  3. Our Kafka ecosystem processes 400 billion messages a day. We have over 50 clusters, which includes over 5000 topics, and 7 petabytes of total disk space. We’ve been running Kafka for a while now, starting with version 0.8 and our current version is 1.1.
  4. Our tech stack has grown enormously over the past few years, with clients using languages ranging from Java to Python to Node.js. We also have many different application frameworks connected to Kafka. Our clusters are multi-tenant, which means our clusters are generic and there are multiple use-cases in a single cluster. Our Kafka ecosystem is also distributed across multiple security and availability zones.
  5. Let’s take a look at data pipelines. At PayPal, some use-cases for Kafka are user behavioral tracking, experimental testing such as A/B testing, merchant SLA monitoring, and risk & compliance analytics. All these use-cases generate data in the form of business events, or application logs, or application metrics, or any combination of the three. This data flows through Kafka using batch processing or real-time streaming, and they end up in frameworks & platforms land where they are used for analytics or other processing. Additionally, it is very common for flows to have multiple hops where data is pumped into Kafka, consumed by a framework, and then additional data is pumped back into Kafka and consumed by yet another framework.
  6. Thank you Maulin. Hi everyone, I am Thomas. As Maulin mentioned before, Kafka team is maintaining a large Kafka ecosystem at PayPal, over 500 billion messages are processed by Kafka everyday. As a Fintech company, security has always been our highest priority. Then how to secure kafka at PayPal became the beggest thing at Kafka Team this year. Now, I am going to talk about how we enable mutual TLS at PayPal.
  7. Before moving to Kafka TLS, let's quickly go through some terminologies. SSL and its successor, TLS, are protocols for establishing authenticated and encrypted connections between networked computers. Although the SSL protocol was deprecated with the release of TLS 1.0 in 1999, It is still common to refer to these related technologies as “SSL” or “SSL/TLS.” In terms of SSL Keys, basically, we mean private key and public keys Public key is used to encrypt while private keys are used to decrypt. Public keys can be made available to anyone, hence the term public. On the other hand, private key could not be shared. SSL certificates provide a verified link between public keys and the entity that it claims that it belongs to. Certificate Authority is the third party who signs certificate. A trusted CA means this is a known third party certificate issuer.
  8. Let’s take a look at how to enable TLS for open source Kafka. There are 4 main procedures to go through to get this done. Reflecting to SSL terminologies, the procedures are to get the key and certificates, create CA and sign the certificates. Then configured related Kafka properties. The first 3 procedures could be done through command lines Let’s just take a look at how many commands you need to run to get this done.
  9. As you can see, there are 8 commands you need to run using keytool to get the first 3 procedures done for 1 host
  10. After running all these commands, you will get 2 things A keystore contains private keys, and the certificates with their corresponding public keys. A truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust.
  11. Now we got the key and certs as JKS type keystore and truststore file/ Next step is to configure kafka broker and client properties. There are 7 properties you need to configure on broker side to tell broker where to load keystore and truststore file and the related credentials.
  12. The client side configurations are pretty similar. However, keystore is not necessary at client side with 1 way TLS. Now after this step, we got every thing ready for TLS connection.
  13. Let's take a look at how does one way TLS work. As you can see in the diagram, there is a file-based keystore on kafka broker and truststore on client application. While kafka client try to connect to kafka broker, public certificates will be exported from keystore in kafka broker and imported into truststore at client application. Truststore will try to authenticate the certificate and if it is succeeded, the TLS connection will be made. This is the most common scenario for TLS connection. However, in this scenario Client Application trust the broker that it connects to, kafka broker may not know this application. That's why we need mutual auth.
  14. This diagram shows the work flow for mutual TLS. As you can see, compare with the previous slide, now both kafka broker and kafka client app have the file based keystore and truststore. Then same as one way auth, server authentication will also happen at this time. Furthermore, on top of server auth, certificate will be exported from keystore at client app and import to truststore in kafka broker to do client authentication. After 2 authentications are done, the TLS connection will be made. Then it is guaranteed that client and broker knows each other. Is kafka secured now? Yes.. But is it what we want at PayPal? Maybe not.. with the things that current Open Source Kafka provide, it is not easy for us to achieve Kafka TLS.
  15. Let's take a look at our challenges for enabling TLS for kafka. Due to InfoSec and AppSec Restriction, file-based security material is not allowed in PayPal. How to deploy these security materials to thousands of broker hosts and hundreds of client hosts is also a big challenge for us. Also, key rotations and credential security are some extra work to think.
  16. Before moving to the solution, let's us move one step back to see what we have at PayPal. Let me introduce you with PayPal's Key Management Service. As you can easily imagine from the name, it is a In-house Key Management Service like HashiCorp Vault and AWS KMS. Key Management Service is a CA to issue certificates for all internal applications and it will manage key rotations.
  17. Also I want to show to how does clients connect to Kafka brokers at PayPal. Let me introduce you with another service named Kafka configuration service. Basically, people send request to kafka configuration service with the topic name and it will return all the required properties to reach to that topic. The reason for developing this service is that we want to abstract kafka cluster away from kafka client. So instead of connecting kafka using hard-coded bootstrap server list, kafka client will get all the configuration from config service and use those configs to connect to kafka. With config service, kafka clients don't need to worry about the boostrap server list any more, what they need is only the topic name. Kafka team can easily maintain kafka cluster by adding and removing nodes without worrying customer impact.
  18. Based on the challenges and the 2 services that we have, our approach is very clear. We need a way to fetch keystore and trustore from Key Management Service and load on client and broker side. We changed kafka source code on client side and broker side and introduce 2 interfaces for customized keystore and truststore loading. With the implementation class for the interface, people could loader keystore and truststore from wherever they want no matter in disk or memory. In PayPal, kafka team will provide these implementation class for clients.
  19. Now let's take a look at the work flow with TLS at PayPal. Kafka client will also request config from configuration service and config service will return the config with the keystore loader and truststore loader class. Loader class will fetch keystore and truststore from Key Management service and load the keystore and truststore to connect to kafka broker. Client will not even notice the change behind because there is nothing needs to be changed from them.
  20. Let me show you how simple it is to use this interface. You only need to have 1 configuration and you can have the connection to kafka secured with SSL! You don't need to worry about the location and credentials, all the things are inside the loader class.
  21. Kafka Client (producer/consumer) initializes the Authentication, Kafka Server autheni In Kafka Authentication happens when establishing connection to the broker, where as Authorization verification happens on each request.
  22. Configured through Client jaas config, update credentials to Subject AuthenticateCallbackHandler.handle(Callback) <- sasl.login.callback.handler.class(org.apache.kafka.common.security.auth.AuthenticateCallbackHandler), load token/credentails and return it through Callback
  23. Configured through Client jaas config, update credentials to Subject AuthenticateCallbackHandler.handle(Callback) <- sasl.login.callback.handler.class(org.apache.kafka.common.security.auth.AuthenticateCallbackHandler), load token/credentails and return it through Callback
  24. Configured through Client jaas config, update credentials to Subject AuthenticateCallbackHandler.handle(Callback) <- sasl.login.callback.handler.class(org.apache.kafka.common.security.auth.AuthenticateCallbackHandler), load token/credentails and return it through Callback
  25. Configured through Client jaas config, update credentials to Subject AuthenticateCallbackHandler.handle(Callback) <- sasl.login.callback.handler.class(org.apache.kafka.common.security.auth.AuthenticateCallbackHandler), load token/credentails and return it through Callback
  26. Configured through Client jaas config, update credentials to Subject AuthenticateCallbackHandler.handle(Callback) <- sasl.login.callback.handler.class(org.apache.kafka.common.security.auth.AuthenticateCallbackHandler), load token/credentails and return it through Callback
  27. This is the work flow if we want to integrate with in-house key management system. You can see with the current infrastructure, clients need to call key management system and convert is to file-based security material then connect to kafka cluster Which we think is unnecessary KMS call from loader implementation that we provide
  28. Alright! We are almost nearing the end of the presentation and I would like to highlight some of the cool and challenging things we are working on in the Kafka team.
  29. With that I would like to thank you all for listening! Now, we can take questions if you have. Thank you!