Deploy Interceptor
Deploys an Interceptor on Gateway.- Managed with: API, CLI, UI, TF
- CLI
- Terraform
metadata.scopeis optional (default empty).metadata.scope.[vCluster | group | username]combine with each other to define the targeting- Check the dedicated Interceptor targeting section
spec.pluginClassis mandatory. Has to be a valid Interceptor class name.spec.priorityis mandatoryspec.configis a valid config for thepluginClass
Interceptor targeting
You can activate your Interceptor only in specific scenarios. Use the table below to configure Targeting settings.| Use case | metadata.scope.vcluster | metadata.scope.group | metadata.scope.username |
|---|---|---|---|
| Global Interceptor (Including Virtual Clusters) | Set to null | Set to null | Set to null |
| Global Interceptor (Excluding Virtual Clusters) | Empty | Empty | Empty |
| Username targeting | Empty | Empty | Set |
| Group targeting | Empty | Set | Empty |
| Virtual Cluster targeting | Set | Empty | Empty |
| Virtual Cluster + Username targeting | Set | Empty | Set |
| Virtual Cluster + Group targeting | Set | Set | Empty |
The order of precedence from highest (overrides all others) to lowest (most easily overridden) is:
- ServiceAccount
- Group
- VirtualCluster
- Global
Examples
Supported authentication methods
Gateway supports different client authentication methods depending on the security mode (Gateway-managed or Kafka-managed) and service account type (local or external).| Mode | Protocol | Local service account | External service account |
|---|---|---|---|
| Anonymous | |||
GATEWAY_MANAGED | PLAINTEXT | ❌ | ❌ |
| SSL | ❌ | ❌ | |
| SSL with client auth (mTLS) | ❌ | ✅ | |
| SSL | ❌ | ✅ | |
| SASL | |||
| SASL_PLAINTEXT | ✅ | only if OAUTHBEARER | |
| SASL_SSL | ✅ | only if OAUTHBEARER | |
KAFKA_MANAGED | SASL_PLAINTEXT | ❌ | ✅ |
| SASL_SSL | ❌ | ✅ |
Authentication method details
Anonymous authentication- PLAINTEXT: Client is anonymous, no credentials needed. Local and external service accounts not supported.
- SSL (encryption only): Transport encryption without client authentication. Local and external service accounts not supported.
- Both Gateway and clients validate each other’s identities using TLS certificates
- Gateway extracts user identity from the TLS certificate
- Identity can be mapped to an external service account in Gateway
- Username format:
CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown - Customize with
GATEWAY_SSL_PRINCIPAL_MAPPING_RULESenvironment variable
- With OAUTHBEARER: clients authenticate with an identity (the
subin the OIDC JWT token) - Can be mapped to an external service account in Gateway
- Supports PLAIN and SCRAM mechanisms in Kafka-managed mode
- JWT token required with grant type
clientcredentialsfor OAUTHBEARER
- Delegates authentication to the backing Kafka cluster
- Gateway forwards client credentials to Kafka for authentication
- Kafka cluster retrieves ACL rules and authenticates the client
- Supports PLAIN, SCRAM, OAUTHBEARER, and AWS_MSK_IAM mechanisms
- External service accounts can still be mapped for friendly names in Gateway
- Local service accounts not available in this mode
- Virtual resources (Virtual Clusters, alias topics, concentrated topics) not available
What Gateway manages
Conduktor Gateway manages service accounts, client authentication and ACLs (Access Control Lists) by determining:- where to authenticate clients, Gateway or Kafka
- which authentication method to use
- when to use local or external service accounts
- how and where to manage service account ACLs
Troubleshooting authentication and authorization
Does Role Based Access Control (RBAC) in Console also apply to Kafka?
Does Role Based Access Control (RBAC) in Console also apply to Kafka?
No, Conduktor’s RBAC model is designed to manage user permissions within Conduktor Console, specifically for interacting with Kafka resources through Conduktor’s interface. However, using Conduktor’s Self-service, you can create Access Control Lists (ACLs) based on applications. This allows application teams to manage their Kafka resources autonomously, ensuring that each application has the necessary permissions to interact with Kafka topics, consumer groups and other resources.
Can I use IAM for MSK?
Can I use IAM for MSK?
Yes, Conduktor is fully compatible with IAM for MSK authentication but doesn’t currently support modifying IAM policies.
GatewayServiceAccount
When using Oauth, mTLS or delegated backing Kafka authentication,GatewayServiceAccount is generally optional.
- Managed with: API, CLI, TF
_conduktor_${GATEWAY_CLUSTER_ID}_usermappings and includes a name (used when applying ACLs and Interceptors) and an associated Virtual Cluster. By default, this is set to the default Virtual Cluster, passthrough.
When working with external service accounts, it’s important to understand the difference between:
- Internal name (
metadata.name): the friendly name you assign in Gateway - use this in Interceptor scopes, ACLs, audit logs - External name (
spec.externalNames): the original identifier from the identity provider, only used for mapping external identities.
| Security Mode & Protocol | LOCAL GatewayServiceAccount | EXTERNAL GatewayServiceAccount |
|---|---|---|
GATEWAY_MANAGED + PLAINTEXT | 🚫 | 🚫 |
GATEWAY_MANAGED + SSL | 🚫 | only if mTLS configured |
GATEWAY_MANAGED + SASL_PLAINTEXT | ✅ | only if OAuth configured |
GATEWAY_MANAGED + SASL_SSL | ✅ | only if OAuth configured |
KAFKA_MANAGED + SASL_PLAINTEXT | 🚫 | ✅ |
KAFKA_MANAGED + SASL_SSL | 🚫 | ✅ |
DELEGATED_SASL_PLAINTEXT (deprecated, use KAFKA_MANAGED) | 🚫 | ✅ |
DELEGATED_SASL_SSL (deprecated, use KAFKA_MANAGED) | 🚫 | ✅ |
- creating local service accounts
- renaming service accounts for easier clarity when using Interceptors
- attaching service accounts to Virtual Clusters
- CLI
- Terraform
- When
spec.typeisEXTERNAL:spec.externalNamesmust be a non-empty list of external names. Each name must be unique across all declared GatewayServiceAccount.- we currently only support a list of one element.
- When
spec.typeisEXTERNAL:- During Client connection, the authenticated user will be checked against the list of
externalNamesto decide which GatewayServiceAccount it is.
- During Client connection, the authenticated user will be checked against the list of
- When
spec.typeisLOCAL:- Access to
/gateway/v2/tokensendpoint to generate a password for this service account - Switching a GatewayServiceAccount
spec.typefromLOCALtoEXTERNALdoes not invalidate previously emitted tokens. They will keep on working for their TTL.
- Access to
Gateway service account groups
Application service accounts defined in Gateway that follow a common set of Interceptor rules can be grouped. This allows you to scope Interceptors for multiple service accounts.These groups can’t be used for managing ACLs of the service accounts.
Create a service account group
Use the Gateway API to create agroup. See the GatewayGroup section below for more details.
Apply an Interceptor to a group
Once a group is created, you can apply Interceptors to it directly from within the Interceptor configuration. Usemetadata.scope.group to define which group the Interceptor should apply to. See the Interceptor targeting section above for more details.
GatewayGroup
Gateway group lets you add multiple users in the same GatewayGroup for easier Interceptor targeting capabilities.spec.members[].nameis mandatory.- Currently, the username needs to refer to an existing GatewayServiceAccount otherwise it will fail. This is a known issue that we’ll address in a further release.
spec.members[].vClusteris optional. It has to refer to an existing Virtual Cluster. When not using Virtual Clusters, don’t set this attribute.
- All members of the group will be affected by Interceptors deployed with this group’s scope.
ConcentrationRule
Concentration Rules allow you to define patterns where topic creation won’t generate a physical topic, but will instead use our topic concentration feature.metadata.vClusteris optional. Must refer to an existing Virtual Cluster. When not using Virtual Clusters, don’t set this attribute.spec.physicalTopics.deleteis mandatory. Has to be a valid topic name with acleanup.policyset todelete.spec.physicalTopics.compactis optional. Has ti be a valid topic name with acleanup.policyset tocompact.spec.physicalTopics.deleteCompactis optional. Has to be a valid topic name with acleanup.policyset todelete,compact.spec.autoManagedis optional, default isfalse.spec.offsetCorrectnessis optional, default isfalse.
- Once the Concentration Rule is deployed, topics created with a name matching the
spec.patternwill not be created as real Kafka topics but as concentrated topics instead. - Depending on the topic’s
cleanup.policy, the topic’s data will be stored in one of the configured physical topics. - If a topic creation request is made with a
cleanup.policythat isn’t configured in the ConcentrationRule, topic creation will fail. - It is not possible to update
cleanup.policyof a concentrated topic. - If
spec.autoManagedis set totrue, the underlying physical topics and configurations will be automatically created and/or extended to honour the topics configurations. - If
spec.offsetCorrectnessis set totrue, Gateway will maintain a list of offsets for each of the concentrated topic records.- This allows for a proper calculation of message count and consumer group lag.
- There are some limitations with offset correctness.
- If
spec.offsetCorrectnessis set tofalse, Gateway will report the offsets of the backing topic records.
VirtualCluster
A Virtual Cluster creates an isolated Kafka environment within Gateway. Topics and consumer groups in one Virtual Cluster are completely separate from other Virtual Clusters which enables multi-tenancy on a single physical cluster.- Managed with: API, CLI
The unique identifier for the Virtual Cluster and serves as the prefix for all topics and consumer groups on the physical Kafka clusterPattern:
^[a-zA-Z0-9._-]+$ (letters, numbers, dots, underscores, hyphens only)Impact: all topics and consumer groups created in this Virtual Cluster are prefixed with this name on the physical cluster. They appear in the Virtual Cluster without the prefix.- Default behavior: creating a topic
ordersin thecustomersVirtual Cluster results in a physical topic calledcustomersorders - Automatic discovery: the physical topic
customerscatalogautomatically appears ascatalogin thecustomersVirtual Cluster - Override with alias mappings: use AliasTopic to map logical topics to any physical topic name, regardless of the prefix
Controls authorization for the Virtual Cluster
- When
false: No access control. Clients can create, delete, produce, consume, and manage all topics and consumer groups in this Virtual Cluster. The fieldsaclsandsuperUserscan’t be set. - When
true: requires ACL configuration (see sections below)
Determines how ACLs are managed. When omitted:
- if
aclEnabled: true: defaults toKAFKA_API - if
aclEnabled: false: remains unset (no ACL mode)
Defines the Virtual Cluster type
- Standard: For internal multi-tenancy within your organization
- Partner: For external data sharing with external organizations. When using
aclMode: KAFKA_API, ACLs must be enabled with at least one superUser
spec.aclEnabled when it is set to true
ACLs configurable via Kafka (aclMode: KAFKA_API)
ACLs configurable via Kafka (aclMode: KAFKA_API)
Manage ACLs using the Kafka Admin API, just like you would with a standard Kafka cluster. Administrators listed in Requirements
superUsers can dynamically create, update, and delete ACLs using Kafka CLI tools.- at least one
spec.superUsersis required: a list of usernames whose associated Gateway Service Accounts can bypass ACLs. These have to be created separately. - not allowed: the
spec.aclsfield
ACLs configurable via REST (aclMode: REST_API)
ACLs configurable via REST (aclMode: REST_API)
Manage ACLs declaratively via the Gateway REST API. All ACL bindings are defined in the Virtual Cluster YAML configuration, enabling Infrastructure-as-Code workflows.Requirements:
- at least one
spec.aclsis required: a complete list of ACL bindings for the Virtual Cluster.- any valid Kafka API ACL binding including
*wildcards is supported. For a complete reference, see the API schema
- any valid Kafka API ACL binding including
- not allowed: the
spec.superUsersfield
AliasTopic
An Alias Topic maps a physical Kafka topic to a logical name within a Virtual Cluster. You can use it to:- Expose internal topics to external partners with business-friendly names while keeping your internal naming conventions private
- Map a logical topic in a Virtual Cluster to any physical topic, regardless of the Virtual Cluster’s prefix
- Share the same physical topic across multiple Virtual Clusters with different logical names
- Managed with: API, CLI
stock in their Virtual Cluster, while it actually maps to your internal topic internal.manufacturing.eu.stock that contains European manufacturing stock data. The internal naming convention (region, department structure) remains hidden from the partner.
AliasTopic fields:
The logical topic name visible in the Virtual ClusterPattern:
^[a-zA-Z0-9._-]+$ (letters, numbers, dots, underscores, hyphens only)Target Virtual Cluster for this aliasPattern:
^[a-zA-Z0-9._-]+$ (letters, numbers, dots, underscores, hyphens only)The actual physical topic name on KafkaPattern:
^[a-zA-Z0-9._-]+$ (letters, numbers, dots, underscores, hyphens only)Can be any valid topic name, no prefix requirementPhysical Kafka cluster hosting the topic
- For Partner Virtual Clusters: required, must be explicitly specified
- For Standard Virtual Clusters: optional, defaults to
main(only valid value) - Must match one of the Gateway’s configured physical clusters