Security¶
Redpanda implements the Kafka security model (SASL, ACLs, TLS) and adds OIDC, RBAC, and mTLS for the admin API.
Authentication¶
Kafka API authentication¶
| Mechanism | Use Case |
|---|---|
| SASL/PLAIN | Simple username/password (use only over TLS). |
| SASL/SCRAM-SHA-256, SCRAM-SHA-512 | Salted-hash passwords; preferred over PLAIN. |
| OAUTHBEARER | OIDC tokens; supports Keycloak, Auth0, Okta, AWS Cognito. |
| mTLS (x509) | Cert-based; CN/SAN maps to a principal. |
Admin API authentication¶
- mTLS for admin API on
:9644. - OIDC for Console UI.
- HTTP basic for development.
# Enable SASL on Kafka API
redpanda:
enable_sasl: true
superusers: ["admin"]
kafka_api_tls:
- name: external
enabled: true
key_file: /etc/redpanda/certs/server.key
cert_file: /etc/redpanda/certs/server.crt
truststore_file: /etc/redpanda/certs/ca.crt
require_client_auth: true
Console SSO¶
Redpanda Console supports OIDC, OAuth 2.0, and SAML for user login, with role mapping into the cluster's RBAC.
Authorization¶
Kafka ACLs¶
ACLs apply to resources (topic, group, transactional-id, cluster) with operations (Read, Write, Create, Describe, Alter, Delete, Idempotent-Write, …).
rpk acl create --allow-principal 'User:orders-svc' \
--operation read,describe \
--topic 'orders.*'
rpk acl create --allow-principal 'User:orders-svc' \
--operation read \
--group 'orders-consumer'
rpk acl list
RBAC (Console / Cloud)¶
In Redpanda Cloud and via the Console, named roles group ACLs and assign them to users. Roles can be mapped from OIDC group claims for centralized identity.
Cluster super-users¶
Set superusers: [...] in redpanda.yaml for accounts that bypass ACLs (admin / break-glass). Limit and audit.
Encryption¶
In transit¶
- TLS 1.2 / 1.3 on every listener: Kafka API, Admin API, Schema Registry, Pandaproxy, RPC (inter-broker).
- mTLS can be required per listener.
- TLS termination must be at Redpanda — sidecar TLS termination is not supported for the Kafka protocol because of the shared connection pool.
- Cipher suites are configurable; restrict to AEAD only for compliance frameworks.
At rest¶
- Tiered storage object encryption: SSE-S3 by default; SSE-KMS with a customer-managed KMS key (CMK) for SOC 2 / HIPAA / PCI-DSS deployments. Configure via
cloud_storage_kms_key_id. - Local NVMe encryption: OS-level (LUKS / dm-crypt or cloud-native EBS/Persistent Disk encryption).
- BYOK (Bring Your Own Key) is supported in Redpanda Cloud Dedicated.
Audit Logging¶
Redpanda Enterprise has a dedicated Audit Log topic that records management operations:
- Cluster config changes.
- Topic create/alter/delete.
- ACL changes.
- User create/delete.
- Authentication failures.
Audit logs are themselves a Kafka topic with a fixed schema, ready to ship into a SIEM.
Threat Model¶
| Threat | Mitigation |
|---|---|
| ACL bypass via super-user role | Limit super-users; rotate; tag with break-glass policy. |
| Tiered storage misconfigured S3 bucket policy | Use SSE-KMS CMKs; bucket policies that deny anonymous reads; CloudTrail object-level logging. |
| Console session hijack | Short OIDC token TTLs; CSRF protections; HTTPS-only cookies. |
| Supply chain via 3rd-party Connect connectors | Pin connector image versions; review code; isolate in network. |
| Unauthenticated Admin API | Always enable mTLS or HTTP basic auth on :9644. |
| MITM on inter-broker RPC | Enable RPC TLS — required for any prod cluster. |
| WASM transform compromise | WASM modules run in-process; keep them small + reviewed; restrict who can register them. |
| Schema Registry spoofing | Pin SR endpoints in clients; require auth on the SR API. |
| Replay of produce requests | Enable transactions / idempotent producer; scope per-producer-id. |
| OIDC token theft | Short TTLs, audience pinning, refresh-token rotation. |
| Cross-tenant data exfiltration in Cloud | Cloud Dedicated → single-tenant; Cloud Serverless uses tenant-scoped namespaces. |
Compliance¶
Redpanda Cloud Dedicated holds:
- SOC 2 Type II
- ISO 27001
- HIPAA (with BAA)
- PCI-DSS (Cloud Dedicated)
- GDPR support (via region selection)
Self-managed Redpanda inherits whatever compliance you build around it.
CVE History (selected)¶
| CVE | Year | Affected | Summary |
|---|---|---|---|
| CVE-2024-39687 | 2024 | Redpanda Console < 2.x patch | Path traversal in Console static asset handler. |
| CVE-2023-2972 | 2023 | Redpanda admin API | Insufficient input validation on a debug endpoint. |
| CVE-2022-39253 | 2022 | Redpanda < 22.2 | Improper TLS handshake handling. |
The canonical list lives at github.com/redpanda-data/redpanda/security/advisories.
Hardening Checklist¶
- SASL enabled (preferably SCRAM-SHA-512 or OIDC).
- mTLS on Kafka API, Admin API, Schema Registry, Pandaproxy, RPC.
- TLS 1.3 only; restrict cipher suites.
- Tiered storage uses SSE-KMS with a CMK; bucket has block-public-access set.
- Super-users restricted to break-glass accounts; audit reviewed quarterly.
- OIDC integrated with corporate IdP for Console; SCIM provisioning if available.
- Audit Logs topic shipped to SIEM (Enterprise).
- WASM transform registration restricted via ACL.
- Subscribed to Redpanda Security Advisories.
- Helm chart pinned to Operator-blessed version.
Cross-references¶
- messaging/redpanda/architecture — for the components you're hardening.
- messaging/redpanda/operations — for the corresponding
rpkand Helm commands. - messaging/kafka/security — for shared Kafka-API security mechanics.
- messaging/index — for cross-broker security comparison.