Every time you publish or consume events to/from Event Hubs for Kafka, your client is trying to access the Event Hubs resources. When using Apache Kafka protocol with your clients, you can set your configuration for authentication and encryption using the SASL mechanisms. When using Event Hubs for Kafka the service requires the TLS-encryption (as all data in transit with Event Hubs for Kafka is TLS encrypted) and this can be done specifying the SASL_SSL option in your configuration file.
Event Hubs for Kafka initially offered the authentication through SASL PLAIN mechanism. We are now extending the authentication mechanism with Event Hubs for Kafka to support the OAuth 2.0 token based authentication. With this kind of authentication, Kafka clients will then talk to a central OAuth 2.0 compliant authorization server. For Azure Event Hubs for Kafka this is Azure Active Directory (Azure AD).
Azure AD also provides Role Based authorization which can be used instead of ACL based authorization to centrally manage not only user entities, but also the permissions they have on Kafka resources while using Event Hubs.
Integrating with Azure AD, Kafka clients streaming through Event Hubs can make use of the in-built roles for the service. Explore the built-in roles and resource scope in this article – Authorize access to Event Hubs resources using Azure Active Directory
How to configure the OAuth2.0 compatible token-based mechanism
In your configuration file, specify the SASL based protocol option and specify the OAUTHBEARER mechanism along with the callback handler for token retrieval as shown below,
bootstrap.servers=mynamespace.servicebus.windows.net:9093
security.protocol=SASL_SSL
sasl.mechanism=OAUTHBEARER
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;
sasl.login.callback.handler.class=YourCallBackHandler;
With OAuth 2.0 token-based mechanism, you can make use of the built in RBAC roles for Event Hubs as listed below,
- Azure Event Hubs Data owner: Use this role to give complete access to Event Hubs resources.
- Azure Event Hubs Data sender: Use this role to give the send access to Event Hubs resources.
- Azure Event Hubs Data receiver: Use this role to give the consuming/receiving access to Event Hubs resources.
The following list also describes the levels at which you can scope access to Event Hubs for Kafka resources for your client identities
- Topics: Role assignment applies to the Topic entity under an Event Hubs namespace
- Namespace: Role assignment spans the entire topology of Topics under the namespace
- Resource group: Role assignment applies to all the Event Hubs resources under the resource group.
- Subscription: Role assignment applies to all the Event Hubs resources in all resource groups in the subscription.
To Conclude
Azure Event Hubs supports authorizing to Event Hubs resources using Azure Active Directory (Azure AD). Authorizing users or applications using OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there is no need to store the tokens in your code and risk potential security vulnerabilities.
Microsoft recommends using Azure AD with your Azure Event Hubs when possible.
Next Steps
- Explore our GitHub sample for enabling OAuth2.0 options with your Kafka applications
- Learn more about authorizing access to Azure Event Hubs
- Authenticate requests to Azure Event Hubs from an application using Azure Active Directory
- Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources
- Authenticate requests to Azure Event Hubs using Shared Access Signatures
- Authorize access to Event Hubs resources using Azure Active Directory
- Authorize access to Event Hubs resources using Shared Access Signatures