Using Kafka's inter-broker security
Learn about Kafka inter-broker-security and supported security protocols.
Kafka can expose multiple communication endpoints, each supporting a different protocol.
Supporting multiple communication endpoints enables you to use different communication
protocols for client-to-broker communications and broker-to-broker communications. Set the
Kafka inter-broker communication protocol using the
security.inter.broker.protocol property. Use this property primarily for
the following scenarios:
SSLencryption for client-broker communication but keeping broker-broker communication as
SSLhas performance overhead, you might want to keep inter-broker communication as
PLAINTEXTif your Kafka brokers are behind a firewall and not susceptible to network snooping.
- Migrating from a non-secure Kafka configuration to a secure Kafka configuration without
requiring downtime. Use a rolling restart and keep
security.inter.broker.protocolset to a protocol that is supported by all brokers until all brokers are updated to support the new protocol.
For example, if you have a Kafka cluster that needs to be configured to enable Kerberos without downtime, follow these steps:
- Update the Kafka service configuration to enable Kerberos.
- Perform a rolling restart.
The following combination of protocols are supported.
These protocols can be defined for broker-to-client interaction and for broker-to-broker
interaction. The property
security.inter.broker.protocol allows the
broker-to-broker communication protocol to be different than the broker-to-client protocol,
allowing rolling upgrades from non-secure to secure clusters. In most cases, set
security.inter.broker.protocol to the protocol you are using for
broker-to-client communication. Set
security.inter.broker.protocol to a
protocol different than the broker-to-client protocol only when you are performing a rolling
upgrade from a non-secure to a secure Kafka cluster.