Skip to main content
These are high-level Gateway object specifications for Conduktor CLI.

Deploy Interceptor

Deploys an Interceptor on Gateway.
  • Managed with: API, CLI, UI, TF
  • CLI
  • Terraform
---
apiVersion: gateway/v2
kind: Interceptor
metadata:
  name: enforce-partition-limit
  # scope:
  #   vCluster: aaa
  #   group: bbb
  #   username: ccc
spec:
  pluginClass: "io.conduktor.gateway.interceptor.safeguard.CreateTopicPolicyPlugin"
  priority: 100
  config:
    topic: "myprefix-.*"
    numPartition:
      min: 5
      max: 5
      action: "INFO"
Interceptor checks:
  • metadata.scope is optional (default empty).
  • metadata.scope.[vCluster | group | username] combine with each other to define the targeting
  • spec.pluginClass is mandatory. Has to be a valid Interceptor class name.
  • spec.priority is mandatory
  • spec.config is a valid config for the pluginClass

Interceptor targeting

You can activate your Interceptor only in specific scenarios. Use the table below to configure Targeting settings.
Use casemetadata.scope.vclustermetadata.scope.groupmetadata.scope.username
Global Interceptor (Including Virtual Clusters)Set to nullSet to nullSet to null
Global Interceptor (Excluding Virtual Clusters)EmptyEmptyEmpty
Username targetingEmptyEmptySet
Group targetingEmptySetEmpty
Virtual Cluster targetingSetEmptyEmpty
Virtual Cluster + Username targetingSetEmptySet
Virtual Cluster + Group targetingSetSetEmpty
You can deploy multiple Interceptors with the same name using a different targeting scope. This will effectively override the configuration for the scope.
The order of precedence from highest (overrides all others) to lowest (most easily overridden) is:
  • ServiceAccount
  • Group
  • VirtualCluster
  • Global

Examples

  ---
  # This Interceptor targets everyone (Including Virtual Clusters)
  apiVersion: gateway/v2
  kind: Interceptor
  metadata:
    name: enforce-partition-limit
    scope:
      vCluster: null
      group: null
      username: null
  spec:

  ---
  # This Interceptor targets everyone (Excluding Virtual Clusters)
  apiVersion: gateway/v2
  kind: Interceptor
  metadata:
    name: enforce-partition-limit
  spec:

  ---
  # This Interceptor targets only `admin` service account
  apiVersion: gateway/v2
  kind: Interceptor
  metadata:
    name: enforce-partition-limit
    scope:
      username: admin
  spec:

  ---
  # This interceptor targets only `read-only` virtual cluster
  apiVersion: gateway/v2
  kind: Interceptor
  metadata:
    name: enforce-partition-limit
    scope:
      vCluster: read-only
  spec:

Supported authentication methods

Gateway supports different client authentication methods depending on the security mode (Gateway-managed or Kafka-managed) and service account type (local or external).
ModeProtocolLocal service accountExternal service account
Anonymous
GATEWAY_MANAGEDPLAINTEXT
SSL
SSL with client auth (mTLS)
SSL
SASL
SASL_PLAINTEXTonly if OAUTHBEARER
SASL_SSLonly if OAUTHBEARER
KAFKA_MANAGEDSASL_PLAINTEXT
SASL_SSL
As of Gateway v3.10.0, the DELEGATED_XXX security protocols have been deprecated in favor of the security mode, set by the GATEWAY_SECURITY_MODE environment variable. These values remain supported for backward compatibility but will be deprecated in future releases.If you’re using DELEGATED security protocols, see the security mode migration guide.

Authentication method details

Anonymous authentication
  • PLAINTEXT: Client is anonymous, no credentials needed. Local and external service accounts not supported.
  • SSL (encryption only): Transport encryption without client authentication. Local and external service accounts not supported.
SSL with client authentication (mTLS)
  • Both Gateway and clients validate each other’s identities using TLS certificates
  • Gateway extracts user identity from the TLS certificate
  • Identity can be mapped to an external service account in Gateway
  • Username format: CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown
  • Customize with GATEWAY_SSL_PRINCIPAL_MAPPING_RULES environment variable
SASL authentication
  • With OAUTHBEARER: clients authenticate with an identity (the sub in the OIDC JWT token)
  • Can be mapped to an external service account in Gateway
  • Supports PLAIN and SCRAM mechanisms in Kafka-managed mode
  • JWT token required with grant type clientcredentials for OAUTHBEARER
Kafka-managed SASL authentication
  • Delegates authentication to the backing Kafka cluster
  • Gateway forwards client credentials to Kafka for authentication
  • Kafka cluster retrieves ACL rules and authenticates the client
  • Supports PLAIN, SCRAM, OAUTHBEARER, and AWS_MSK_IAM mechanisms
  • External service accounts can still be mapped for friendly names in Gateway
  • Local service accounts not available in this mode
  • Virtual resources (Virtual Clusters, alias topics, concentrated topics) not available

What Gateway manages

Conduktor Gateway manages service accounts, client authentication and ACLs (Access Control Lists) by determining:
  • where to authenticate clients, Gateway or Kafka
  • which authentication method to use
  • when to use local or external service accounts
  • how and where to manage service account ACLs

Troubleshooting authentication and authorization

No, Conduktor’s RBAC model is designed to manage user permissions within Conduktor Console, specifically for interacting with Kafka resources through Conduktor’s interface. However, using Conduktor’s Self-service, you can create Access Control Lists (ACLs) based on applications. This allows application teams to manage their Kafka resources autonomously, ensuring that each application has the necessary permissions to interact with Kafka topics, consumer groups and other resources.
Yes, Conduktor is fully compatible with IAM for MSK authentication but doesn’t currently support modifying IAM policies.
Find out more about Gateway authentication and authorization

GatewayServiceAccount

When using Oauth, mTLS or delegated backing Kafka authentication, GatewayServiceAccount is generally optional.
  • Managed with: API, CLI, TF
Each service account is stored in an internal topic, _conduktor_${GATEWAY_CLUSTER_ID}_usermappings and includes a name (used when applying ACLs and Interceptors) and an associated Virtual Cluster. By default, this is set to the default Virtual Cluster, passthrough.
When working with external service accounts, it’s important to understand the difference between:
  • Internal name (metadata.name): the friendly name you assign in Gateway - use this in Interceptor scopes, ACLs, audit logs
  • External name (spec.externalNames): the original identifier from the identity provider, only used for mapping external identities.
GatewayServiceAccount resource is enabled/disabled depending on your Gateway configuration. This is to prevent you from declaring a resource that’s incompatible with your current configuration:
GATEWAY_SECURITYLOCAL GatewayServiceAccountEXTERNAL GatewayServiceAccount
PLAINTEXT🚫🚫
SSL🚫only if mTls
SASL_PLAINTEXTonly if OAuth configured
SASL_SSLonly if OAuth configured
DELEGATED_SASL_PLAINTEXT🚫
DELEGATED_SASL_SSL🚫
Here are a few cases where you have to declare GatewayServiceAccount objects:
  • creating local service accounts
  • renaming service accounts for easier clarity when using Interceptors
  • attaching service accounts to Virtual Clusters
  • CLI
  • Terraform
---
# External user renamed
apiVersion: gateway/v2
kind: GatewayServiceAccount
metadata:
  name: application1
spec:
  type: EXTERNAL
  externalNames:
  - 00u9vme99nxudvxZA0h7
---
# Local User on Virtual Cluster vc-B
apiVersion: gateway/v2
kind: GatewayServiceAccount
metadata:
  vCluster: vc-B
  name: admin
spec:
  type: LOCAL
GatewayServiceAccount checks:
  • When spec.type is EXTERNAL:
    • spec.externalNames must be a non-empty list of external names. Each name must be unique across all declared GatewayServiceAccount.
    • we currently only support a list of one element.
GatewayServiceAccount side effects:
  • When spec.type is EXTERNAL:
    • During Client connection, the authenticated user will be checked against the list of externalNames to decide which GatewayServiceAccount it is.
  • When spec.type is LOCAL:
    • Access to /gateway/v2/tokens endpoint to generate a password for this service account
    • Switching a GatewayServiceAccount spec.type from LOCAL to EXTERNAL does not invalidate previously emitted tokens. They will keep on working for their TTL.

Gateway service account groups

Application service accounts defined in Gateway that follow a common set of Interceptor rules can be grouped. This allows you to scope Interceptors for multiple service accounts.
These groups can’t be used for managing ACLs of the service accounts.

Create a service account group

Use the Gateway API to create a group. See the GatewayGroup section below for more details.

Apply an Interceptor to a group

Once a group is created, you can apply Interceptors to it directly from within the Interceptor configuration. Use metadata.scope.group to define which group the Interceptor should apply to. See the Interceptor targeting section above for more details.

GatewayGroup

Gateway group lets you add multiple users in the same GatewayGroup for easier Interceptor targeting capabilities. 
---
# Users added to the group manually
apiVersion: gateway/v2
kind: GatewayGroup
metadata:
  name: group-a
spec:
  members:
    - name: admin
    - vCluster: vc-B
      name: "0000-AAAA-BBBB-CCCC"
GatewayGroup checks:
  • spec.members[].name is mandatory.
    • Currently, the username needs to refer to an existing GatewayServiceAccount otherwise it will fail. This is a known issue that we’ll address in a further release.
  • spec.members[].vCluster is optional. It has to refer to an existing Virtual Cluster. When not using Virtual Clusters, don’t set this attribute.
GatewayGroup side effects:
  • All members of the group will be affected by Interceptors deployed with this group’s scope.

ConcentrationRule

Concentration Rules allow you to define patterns where topic creation won’t generate a physical topic, but will instead use our topic concentration feature. 
---
apiVersion: gateway/v2
kind: ConcentrationRule
metadata:
  # vCluster: vc-B
  name: toutdanstiti
spec:
  pattern: titi-.*
  physicalTopics:
    delete: titi-delete
    compact: titi-compact
    deleteCompact: titi-cd
  autoManaged: false
  offsetCorrectness: false
ConcentrationRule checks:
  • metadata.vCluster is optional. Must refer to an existing Virtual Cluster. When not using Virtual Clusters, don’t set this attribute.
  • spec.physicalTopics.delete is mandatory. Has to be a valid topic name with a cleanup.policy set to delete.
  • spec.physicalTopics.compact is optional. Has ti be a valid topic name with a cleanup.policy set to compact.
  • spec.physicalTopics.deleteCompact is optional. Has to be a valid topic name with a cleanup.policy set to delete,compact.
  • spec.autoManaged is optional, default is false.
  • spec.offsetCorrectness is optional, default is false.
ConcentrationRule side effects:
  • Once the Concentration Rule is deployed, topics created with a name matching the spec.pattern will not be created as real Kafka topics but as concentrated topics instead.
  • Depending on the topic’s cleanup.policy, the topic’s data will be stored in one of the configured physical topics.
  • If a topic creation request is made with a cleanup.policy that isn’t configured in the ConcentrationRule, topic creation will fail.
  • It is not possible to update cleanup.policy of a concentrated topic.
  • If spec.autoManaged is set to true, the underlying physical topics and configurations will be automatically created and/or extended to honour the topics configurations.
  • If spec.offsetCorrectness is set to true, Gateway will maintain a list of offsets for each of the concentrated topic records.
    • This allows for a proper calculation of message count and consumer group lag.
    • There are some limitations with offset correctness.
  • If spec.offsetCorrectness is set to false, Gateway will report the offsets of the backing topic records.
If a ConcentrationRule spec changes, it will not affect previously created concentrated topics, it will only affect the topics created after the change.

VirtualCluster

A Virtual Cluster allows you to isolate one or more service accounts within a logical cluster. Any topic or consumer group created within a Virtual Cluster will be accessible only to that specific Virtual Cluster.
  • Managed with: API, CLI
---
apiVersion: gateway/v2
kind: VirtualCluster
metadata:
 name: "mon-app-A"
spec:
 aclEnabled: false
VirtualCluster checks:
  • metadata.name must be a valid topic prefix as all vcluster topics and consumer groups will be created on the physical kafka cluster with this as the prefix (they will appear on the vcluster without the prefix).
  • spec.aclEnabled is optional (default false). When unset or false,
    • there are no authorization checks for clients connecting to the vcluster. Clients are free to perform any operation on resources within the vcluster
    • The fields acls and superUsers cannot be set
  • spec.type must be either Standard or Partner (default if not set is Standard)
The next two sections describe the behaviour of spec.aclEnabled when it is set to true

ACLs configurable via Kafka

When a vcluster is configured to have ACLs set via Kafka (aclMode: KAFKA_API) an administrator can connect to the vcluster as any service account named in the superUsers list and fully manage the ACLs of other service accounts within the vcluster using the Kafka Admin API. This is the same way you would manage a real Kafka Cluster. 
---
apiVersion: gateway/v2
kind: VirtualCluster
metadata:
 name: "mon-app-A"
spec:
 aclEnabled: true
 aclMode: KAFKA_API
 superUsers:
 - username1
 - username2
  • when spec.aclMode is set to KAFKA_API (default if aclEnabled: true)
    • it cannot be changed
    • acls cannot be set
    • spec.superUsers must be set
  • spec.superUsers is the list of usernames for which the associated service accounts in this virtual cluster can bypass ACLs.
    • Specified usernames are not created automatically. You still need to create the associated gateway service accounts on the vcluster for them to work.

ACLs configurable via REST

Managing ACLs with the Kafka Admin API is extremely powerful, but can also be cumbersome. For some use-cases it is desirable to configure everything using the REST api instead. 
---
apiVersion: gateway/v2
kind: VirtualCluster
metadata:
 name: "mon-app-A"
spec:
 aclEnabled: true
 aclMode: REST_API
 acls:
  - resourcePattern:
      resourceType: TOPIC
      name: customers
      patternType: LITERAL
    principal: User:username1
    host: "*"
    operation: READ
    permissionType: ALLOW
  - resourcePattern:
      resourceType: TOPIC
      name: customers
      patternType: LITERAL
    principal: User:username1
    host: "*"
    operation: WRITE
    permissionType: ALLOW
  • when spec.aclMode is set to REST_API
    • it cannot be changed
    • spec.acls must be set
    • spec.superUsers cannot be set
  • spec.acls is the complete list of ACL bindings for the vcluster and allows (nearly) any valid Kafka API ACL binding (inc * wildcards) to be set. For a complete list of valid ACL bindings checkout the Open API schema .
We do not allow the aclMode to be changed once it is set because KAFKA_API and REST_API have incompatible mutation processes (KAFKA_API mode changes are cumulative whereas REST_API mode changes are idempotent).

AliasTopic

An Alias Topic allows a real Kafka topic to appear as a logical topic within Gateway. This is useful for aliasing topics or making a topic accessible within a Virtual Cluster. 
---
apiVersion: gateway/v2
kind: AliasTopic
metadata:
  name: name1
  vCluster: vCluster1
spec:
  physicalName: physicalName1