concept Kafka topic in category microservice

This is an excerpt from Manning's book Microservices Security in Action. Login to get full access to this book.

9.3 Developing a microservice to push events to a Kafka topic

In this section, we discuss how to develop a microservice in Spring Boot to push events to a Kafka topic. The microservice receives messages via HTTP, and those messages are then converted into events and pushed to a topic on Kafka. You can find all the samples in the https://github.com/microservices-security-in-action/samples GitHub repository. Navigate to the chapter09/sampe01 directory by using your command-line tool and execute the following command from within the sample01 directory to build the Order Processing microservice:

We now want to get to a state where only selected microservices are given selective permissions to Kafka topics. For example, we need to ensure that only the Order Processing microservice can publish events into the ORDERS topic in Kafka, and only the Buying History microservice should be permitted to read events from the ORDERS topic. We can’t achieve this with mTLS only. Because the Buying History microservice from section 9.6 was granted connection rights through mTLS, it can technically publish events to the ORDERS topic even though the code examples we used didn’t. Figure 9.10 illustrates this scenario.

Figure 9.10 The Buying History microservice sends events to Kafka topics. Any microservice that's trusted by Kafka can technically send events to its topics unless restricted by ACLs. These events are delivered to microservices that are subscribed to the Kafka topic unless they have been restricted by ACLs.

Let’s take a look at how to prevent this from happening. What we have so far achieved in this chapter is client and server authentication. To enforce more fine-grained access control on Kafka topics, we need to implement authorization on Kafka. Kafka provides a way of implementing authorization using ACLs. An ACL is basically a rule on Kafka that either permits or denies a particular entity from performing an action on a Kafka resource. Kafka ACLs are defined in the following format: