Skip to content

Security Overview

RobustMQ Kafka implements Kafka's security-related APIs at the protocol layer and persists all security data — authentication credentials, ACLs, quotas, delegation tokens — in the Raft-based meta-service. This page outlines the current security boundary and links to the topic pages.

To be honest up front: only SASL/SCRAM authentication is enforced end to end. ACLs, quotas, and delegation tokens all ship with full, protocol-compatible management interfaces (create/describe/delete, persisted and broadcast across the cluster), but they are not yet wired into the request path for enforcement. They are "manageable metadata" today, not mechanisms that actually block, throttle, or authorize.

Capability matrix

CapabilityAPIsStatusNotes
SASL/SCRAM authenticationSaslHandshake / SaslAuthenticate / AlterUserScramCredentials / DescribeUserScramCredentials✅ EnforcedSCRAM-SHA-256 / SCRAM-SHA-512 only; when enabled, unauthenticated connections may send handshake requests only
ACL authorizationCreateAcls / DescribeAcls / DeleteAcls🟡 Manageable, not enforcedcreate/describe/delete and persist, but the request path never reads ACLs — nothing is blocked
Client quotasAlterClientQuotas / DescribeClientQuotas🟡 Manageable, not enforcedclient-id entity only; setting a quota does not throttle
Delegation tokensCreate / Renew / Expire / DescribeDelegationToken🟡 Metadata managementthe HMAC is not used for authentication; owner is fixed to User:ANONYMOUS

Persistence path

All security data follows one path:

  1. A broker receives a management request (e.g. AlterUserScramCredentials), validates it, and forwards it to meta-service over gRPC;
  2. meta-service writes it into RocksDB through Raft (strong consistency);
  3. on success it broadcasts a cache-update notification to every broker;
  4. each broker loads the full set once at startup from meta-service and applies broadcast deltas at runtime.

So credentials, ACLs, and quotas are strongly consistent and identical across all nodes.

Default state

SASL is off by default (kafka.sasl.enabled = false). When off, all connections are treated as authenticated with no handshake. When on, the default enabled mechanism list is ["SCRAM-SHA-256", "SCRAM-SHA-512"].

Topic pages

Storage and coordination mechanics are in System Architecture and Storage Engine.

🎉 既然都登录了 GitHub,不如顺手给我们点个 Star 吧!⭐ 你的支持是我们最大的动力 🚀