Conduktor provides flexible authentication and authorization for Kafka clients, allowing you to choose where and how clients are authenticated and what permissions they have.Documentation Index
Fetch the complete documentation index at: https://docs.conduktor.io/llms.txt
Use this file to discover all available pages before exploring further.
Two authentication modes
Gateway offers two distinct modes for managing client authentication and authorization: Gateway-managed mode- Gateway handles all authentication and authorization
- and defined in Gateway
- Supports both local and external service accounts
- Full control over client access without touching Kafka configuration
- Enables and other Gateway-specific features
- Authentication and authorization delegated to the backing Kafka cluster
- Existing Kafka service accounts and ACLs continue to work
- Useful for gradual migration to Gateway
- External service accounts can still be mapped for friendly names in Gateway
- Virtual resources (Virtual Clusters, alias topics) not available
Key decisions
When configuring Gateway authentication, you need to decide:- Where to authenticate: at Gateway or delegate to Kafka
- Authentication method: SASL (PLAIN, SCRAM, OAUTHBEARER), mTLS, or anonymous
- Service account type: local (Gateway-managed) or external (identity provider)
- Authorization location: Gateway ACLs or Kafka ACLs
Benefits
- Gradual adoption: start with Kafka-managed mode and migrate to Gateway-managed
- Unified access control: manage authentication across multiple clusters from one place
- Flexible identity integration: work with existing identity providers or use Gateway’s built-in authentication
- Enhanced security: add Gateway policies and without changing Kafka security