Third-party data sharing can be done securely and selectively using Conduktor.
This feature is available with Conduktor Exchange only.

Partner Zones

Partner Zones allow you to share Kafka topics with external partners selectively and securely. You can:
  • set up dedicated zones with customized access to Kafka topics
  • create a single source of truth because data isn’t duplicated
  • reduce operational costs, since you don’t have to keep data streams synchronized
Partner Zones overview
Check out Partner Zones resource reference.

Prerequisites

Before creating a Partner Zone, you have to:
  • use Conduktor Console 1.37.0 or later
  • use Conduktor Gateway 3.12.0 or later with the following configurations:
    • GATEWAY_SECURITY_PROTOCOL set to SSL, SASL_SSL, or SASL_PLAINTEXT
    • GATEWAY_SECURITY_MODE set to GATEWAY_MANAGED
    • GATEWAY_USER_POOL_SERVICE_ACCOUNT_REQUIRED set to true
    • GATEWAY_FEATURE_FLAGS_MANDATORY_VCLUSTER set to true. Find out more about this environment variable and what service account has to be setup.
  • use a service account to connect to Gateway, that can access the topics you want to share
  • be logged in as an admin to Console UI, or using an admin token for the CLI
  • in Console, configure your Gateway cluster and fill in the Provider tab with Gateway API credentials
Partner Zones currently have the following limitations:
  • Local service accounts cannot be revoked, they only expire on their time-to-live. If you need to revoke access to your partner after issuing a local service account credential, you will have to delete the Partner Zone.

Create a Partner Zone

You can create a Partner Zone from the Console UI, or the Conduktor CLI.
Use the Console UI to create a Partner Zone in just a few steps.
  1. In Conduktor Console, go to Settings > Partner Zones and click +New zone.
  2. Define the Partner Zone details:
    • Add a descriptive name for the zone.
    • The Technical ID will be auto-populated as you type in the name. This is used to identify this zone in CLI/API. You may choose your own ID if you prefer.
    • Service account will also be auto-generated based on the name but you can edit this as required. Service accounts are used to define permissions on Kafka resources, these permissions are mapped to ACL (Access Control List) entries.
    • (Optional) Enter a relevant URL for your partner.
    • (Optional) Enter a Description to explain your reasons/requirements for sharing data.
    • (Optional) Specify contact details of the beneficiary/recipient of this Partner Zone.
    • Select Gateway to choose the one you want to use, then select an available cluster under the Gateway and click Continue.
  3. Choose what and how to share:
    • Select the Kafka topics to include in this Partner Zone, you can filter topics by custom labels you’ve defined or search for a topic by name.
    • Select Read/Write. By default, any topics that are shared, will be shared with Read-only access, but you can additionally allow Write access.
    • (Optional) Rename topics to how you want the consumer to read them by hovering over the name of any topic being shared, and selecting the pencil button.
    • Continue when done.
  4. Select the preferred authentication mechanism to connect to the Partner Zone. Enter the service account name required to connect to the Partner Zone.
    • For credentials managed by OAuth, the service account name has to match the “sub” claim in the token.
  5. (Optional) Protect your cluster by limiting clients with Traffic Control Policies. Limit their rate of producing, consuming or committing offsets.
  6. Review the details and if you’re happy with the data you’re about to share, click Create.
It will take a few moments for the zone to be created.Once completed, the Credentials will be displayed. Copy/download and share these as required.To view and manage all the zones you have access to, go to Settings > Partner Zones. You’ll see the total number of zones and topics shared, as well as a list of zones, each showing:
  • name and URL
  • the number of topics shared
  • Gateway details
  • the status:
    • Pending: means the configuration isn’t deployed or refreshed yet. It may need to wait for the next reconciliation, which is configurable via the environment variables
    • Ready: shows that the configuration is up-to-date on Gateway
    • Failed: indicates that something unexpected happened during the creation. Check that the connected Gateway is active
  • the date the zone was last updated
Click on a Partner Zone to view its details.

Edit a Partner Zone

To edit a Partner Zone you can either:
  • go to the Partner Zone page list view, and click the three dots on the right-hand side then select Edit
  • or go to a specific Partner Zone’s details view, click the Edit button in the top right corner.
This will open the Partner Zone details window in edit mode, allowing you to:
  • update Partner Zone details (name, URL, description and contact details)
  • manage topics - add new ones or change topic aliases
  • change traffic control policies or transformations

Change zone details

  • Name (hover over the name and click the pencil button)
  • URL
  • Description
  • Contact details

Manage topics

If you change a topic alias after it’s been shared with a partner, they won’t be able to find the topic anymore and get an error. Only change shared topic names if you’re sure that your partners are not using this topic.
  • Remove existing topics from the Partner Zone (click the trash can button next to the relevant topic under the Topics section).
At least one topic has to exist in a Partner Zone, so you won’t be able to delete the last topic via the UI. If you have to, delete that Partner Zone.
Click Continue when done.

Update traffic control policies

Expand the Traffic control policies section by clicking on it. You can toggle the switch next to the policy you want to enable/disable and update the value.Click Save in the top right corner when done.

Delete a Partner Zone

To delete a Partner Zone you can either:
  • go to the Partner Zone page list view, and click the three dots on the right-hand side then click the trash can button
  • or go to a specific Partner Zone’s details view, click the trash can button in the top right corner.
Deleting a Partner Zone cannot be undone and will remove a partner’s access.A confirmation window will pop up. Enter DELETE to confirm the deletion. This cannot be undone.

Troubleshoot

The status of a Partner Zone may be one of the following:

  • Pending: the configuration isn’t deployed or refreshed yet
  • Ready: the configuration is up-to-date on Gateway
  • Failed: something unexpected happened during the deployment. Check that the connected Gateway is active

To check the status, use the API to GET the state of the Partner Zone, or check the Gateway and Console logs.

No, you can’t invalidate issued credentials - they instead have a set time to live. If you’re concerned about any issued credentials, delete and re-create the Partner Zone, then re-issue fresh credentials. We recommend deploying Partner Zones using the IaC (Infrastructure as Code) approach. Find out more about this resource.

Audit log events

Event typeDescription
Admin.PartnerZone.CreateA Partner Zone is created.
Admin.PartnerZone.UpdateA Partner Zone is updated.
Admin.PartnerZone.DeleteA Partner Zone is deleted.
Admin.PartnerZone.TokenCreateA token is created for accessing a Partner Zone.