Skip to main content
Conduktor Gateway provides flexible authentication and authorization for Kafka clients, allowing you to choose where and how clients are authenticated and what permissions they have.

Two authentication modes

Gateway offers two distinct modes for managing client authentication and authorization: Gateway-managed mode
  • Gateway handles all authentication and authorization
  • Service accounts and ACLs defined in Gateway
  • Supports both local and external service accounts
  • Full control over client access without touching Kafka configuration
  • Enables Virtual Clusters and other Gateway-specific features
Kafka-managed mode
  • Authentication and authorization delegated to the backing Kafka cluster
  • Existing Kafka service accounts and ACLs continue to work
  • Useful for gradual migration to Gateway
  • External service accounts can still be mapped for friendly names in Gateway
  • Virtual resources (Virtual Clusters, alias topics) not available

Key decisions

When configuring Gateway authentication, you need to decide:
  • Where to authenticate: at Gateway or delegate to Kafka
  • Authentication method: SASL (PLAIN, SCRAM, OAUTHBEARER), mTLS, or anonymous
  • Service account type: local (Gateway-managed) or external (identity provider)
  • Authorization location: Gateway ACLs or Kafka ACLs

Benefits

  • Gradual adoption: start with Kafka-managed mode and migrate to Gateway-managed
  • Unified access control: manage authentication across multiple clusters from one place
  • Flexible identity integration: work with existing identity providers or use Gateway’s built-in authentication
  • Enhanced security: add Gateway policies and Interceptors without changing Kafka security