Tutorials
Migrate to new Gateway security mode
Overview
This guide is for migrating authentication and authorization to the new configuration in Gateway v3.10.0 and later. We have introduced a new environment variable:GATEWAY_SECURITY_MODE which determines where authentication takes place.
As part of this, we’re deprecating (but will still support) DELEGATED_XXX inputs for GATEWAY_SECURITY_PROTOCOL. The valid inputs for GATEWAY_SECURITY_MODE are: KAFKA_MANAGED and GATEWAY_MANAGED. Find out more about the client to Gateway connection.
We’re also changing the default behavior of GATEWAY_ACL_ENABLED. Previously, when left undefined, it defaulted to false. It will now be determined by the security mode.
If you’re using a security protocol that has an ANONYMOUS identity (
PLAINTEXT or SSL without mTLS), you will face authorization errors because ACLs are now enabled by default for Gateway managed security. To remove authorization from your setup, set GATEWAY_ACL_ENABLED: false.Benefits
We’re splitting the security configuration into two steps to simplify the user experience. The two questions to consider:- What’s responsible for authentication and authorization - Kafka or Gateway?
- How will your Kafka clients be authenticating? Set the appropriate protocol.
GATEWAY_SECURITY_MODE and simplify the options for the how, which still uses GATEWAY_SECURITY_PROTOCOL.
We’ll also enable/disable ACLs on Gateway from the security mode, meaning that the GATEWAY_ACL_ENABLED environment variable only needs to be used when disabling ACLs on Gateway, on the passthrough. The behavior for the virtual clusters is handled in the Virtual Cluster configuration.
Am I affected?
All our customers are affected. Even though this change is backwards-compatible (we still support the delegated protocols for theGATEWAY_SECURITY_PROTOCOL), we recommend that you migrate to the new environment variables.
We still support the GATEWAY_ACL_ENABLED variable. Where set, we will continue to honor valid configurations. However, if GATEWAY_SECURITY_MODE is set to KAFKA_MANAGED, we will provide an error message if GATEWAY_ACL_ENABLED is set to true. You cannot manage ACLs on Gateway if you’re authenticating on the Kafka cluster.
What do I need to do?
Delegated security protocols
We strongly encourage to set up the security configurations using the newGATEWAY_SECURITY_MODE environment variable and migrate from using DELEGATED_SASL_PLAINTEXT and DELEGATED_SASL_SSL.
- Find your pre-3.10.0
GATEWAY_SECURITY_PROTOCOLvalue in your current deployment configuration. - Add the relevant
GATEWAY_SECURITY_MODEenvironment variable to your deployment configuration. - Replace the
GATEWAY_SECURITY_PROTOCOL.- If you’re already using a
GATEWAY_MANAGEDsetup, there will be no change.
- If you’re already using a
- If you’re using an unauthorized setup with
PLAINTEXTorSSLandKAFKA_MANAGED, you’ll need to disable ACLs by addingGATEWAY_ACL_ENABLED: falsein your configuration. Otherwise, you’ll get an error in your startup logs.
| 3.9.0 GATEWAY_SECURITY_PROTOCOL | → 3.10.0 GATEWAY_SECURITY_PROTOCOL | → 3.10.0 GATEWAY_SECURITY_MODE |
|---|---|---|
PLAINTEXT | PLAINTEXT | GATEWAY_MANAGED |
SASL_PLAINTEXT | SASL_PLAINTEXT | GATEWAY_MANAGED |
SASL_SSL | SASL_SSL | GATEWAY_MANAGED |
SSL | SSL | GATEWAY_MANAGED |
DELEGATED_SASL_PLAINTEXT | SASL_PLAINTEXT | KAFKA_MANAGED |
DELEGATED_SASL_SSL | SASL_SSL | KAFKA_MANAGED |
SASL_SSL:
-
Before (in previous versions):
-
Now (in v3.10.0 and later):
GATEWAY_ACL_ENABLED
WhenGATEWAY_SECURITY_MODE is set, there’s no longer a need to provide GATEWAY_ACL_ENABLED. If you want to disable ACLs, add GATEWAY_ACL_ENABLED: false to your configuration. The behavior of ACLs on passthrough will be like this:
| GATEWAY_SECURITY_MODE | ACL is enabled |
|---|---|
| GATEWAY_MANAGED | true |
| KAFKA_MANAGED | false |
GATEWAY_ACL_ENABLED to be false due to being undefined. To maintain this behavior, you have to now explicitly override GATEWAY_ACL_ENABLED to be false.