Download • Install • Kafkactl
Namespaces for Apache Kafka.
Ns4Kafka brings a namespace-based deployment model for Kafka resources, inspired by Kubernetes best practices.
Ns4Kafka is an API that provides controllers for listing, creating, and deleting various Kafka resources, including topics, connectors, schemas, and Kafka Connect clusters. The solution is built on several principles.
Ns4Kafka implements the concept of namespaces, which enable encapsulation of Kafka resources within specific namespaces. Each namespace can only view and manage the resources that belong to it, with other namespaces being isolated from each other. This isolation is achieved by assigning ownership of names and prefixes to specific namespaces.
Whenever you deploy a Kafka resource using Ns4Kafka, the solution saves it to a dedicated topic and synchronizes the Kafka cluster to ensure that the resource's desired state is achieved.
Ns4Kafka allows you to apply customizable validation rules to ensure that your resources are configured with the appropriate values.
Ns4Kafka includes Kafkactl, a command-line interface (CLI) that enables you to deploy your Kafka resources 'as code' within your namespace using YAML descriptors. This tool can also be used in continuous integration/continuous delivery (CI/CD) pipelines.
You can download Ns4Kafka as a fat jar from the GitHub releases page (requires Java 21).
Additionally, a Docker image is available on Docker Hub.
To operate, Ns4Kafka requires a Kafka broker for data storage and GitLab for user authentication.
The solution is built on the Micronaut framework and can be configured with any Micronaut property source loader.
To override the default properties from the application.yml file, you can set the micronaut.config.file system
property when running the fat jar file, like so:
java -Dmicronaut.config.file=application.yml -jar ns4kafka.jarAlternatively, you can set the MICRONAUT_CONFIG_FILE environment variable and then run the jar file without additional
parameters, as shown below:
MICRONAUT_CONFIG_FILE=application.yml 
java -jar ns4kafka.jarTo run and try out the application, you can use the provided docker-compose files located in the .docker directory.
docker-compose up -dThis command will start multiple containers, including:
- 1 Kafka broker (KRaft mode)
- 1 Schema registry
- 1 Kafka Connect
- 1 Control Center
- 1 Ns4Kafka
- 1 Kafkactl
Note that SASL/SCRAM authentication and authorization using ACLs are enabled on the broker.
You can access the Kafkactl container and start deploying resources from the /resources directory:
docker exec -it kafkactl /bin/bashBy default, Kafkactl authenticates with Ns4Kafka using the Local Users authentication method with the gitlab:admin credentials.
If you want to use GitLab, you can update the configuration files as follows and restart the containers.
- Define a GitLab admin group for Ns4Kafka in the .docker/config/ns4kafka/application.ymlfile. You can find an example here. It is recommended to choose a GitLab group you belong to in order to have admin rights.
- Define a GitLab token for Kafkactl in the .docker/config/kafkactl/config.ymlfile. You can refer to the installation instructions here.
- Define a GitLab group you belong to in the role bindings of the .docker/resources/admin/namespace.ymlfile. This is demonstrated in the example here.
Alternatively, a docker-compose file running AKHQ instead of Control Center is available in the .docker directory.
docker-compose -f docker-compose-akhq.yml up -dNs4Kafka supports two authentication methods.
curl -u username:password http://localhost:8080/api/namespaces/myNamespace/topicsThe JWT token can be retrieved using the built-in Micronaut LoginController and passed in the Authorization header.
curl -X POST -d '{"username":"username","password":"password"}' -H "Content-Type: application/json" http://localhost:8080/loginThe delivered JWT token will have the following format:
{
  "roleBindings": [
    {
      "namespaces": ["myNamespace"],
      "verbs": [
        "GET",
        "POST",
        "PUT",
        "DELETE"
      ],
      "resourceTypes": [
        "schemas",
        "schemas/config",
        "topics",
        "topics/delete-records",
        "connectors",
        "connectors/change-state",
        "acls",
        "consumer-groups/reset",
        "streams",
        "connect-clusters",
        "connect-clusters/vaults"
      ]
    }
  ],
  "sub": "user.name@mail.com",
  "nbf": 1711905057,
  "roles": [
    "isAdmin()"
  ],
  "iss": "ns4kafka",
  "exp": 1711908657,
  "iat": 1711905057
}The token will be valid for 1 hour by default.
The roleBindings field contains the permissions granted to the user.
An ID provider is required to authenticate users. The following ID providers are supported.
Ns4Kafka supports two ID providers.
The local ID provider is intended for testing purposes. It allows authentication using local users defined in the configuration.
ns4kafka:
  security:
    admin-group: adminGroup
    local-users:
      - username: admin
        password: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
        groups:
          - "adminGroup"
      - username: user
        password: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
        groups:
          - "userGroup"The passwords are hashed using the SHA-256 algorithm.
The groups used to grant access to namespaces are defined in the groups field.
The admin group is set to "adminGroup" in the example above. Users will be granted admin privileges if they belong to the local group "adminGroup".
The default application.yml file includes a sample configuration with a local user named admin and a password set to admin.
To authenticate with Kafkactl using local users, set the username to gitlab. The password will serve as the authentication token.
GitLab is recommended for production environments. It uses GitLab groups to grant access to namespaces. From a given GitLab token, it retrieves the user's GitLab groups and checks if any of them match any of the role bindings.
To set up authentication with GitLab, you can use the following configuration:
micronaut:
  gitlab:
    enabled: true
    url: https://gitlab.com
  token:
    jwt:
      signatures:
        secret:
          generator:
            secret: "changeit"
ns4kafka:
  security:
    admin-group: ADMIN_GROUPThe micronaut.gitlab.url property is set to the GitLab instance URL.
The micronaut.token.jwt.signatures.secret.generator.secret property is used to sign the JWT token and should be
changed update to a secure value.
The admin group is set to "ADMIN_GROUP" in the example above. Users will be granted admin privileges if they belong to the GitLab group "ADMIN_GROUP".
Ns4Kafka requires a Kafka broker to store data.
You can configure authentication to the Kafka brokers using the following:
kafka:
  bootstrap.servers: "localhost:9092"
  sasl.mechanism: "PLAIN"
  security.protocol: "SASL_PLAINTEXT"
  sasl.jaas.config: "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"admin\" password=\"admin\";"The configuration will depend on the authentication method selected for your broker.
Managed clusters are the clusters where Ns4Kafka namespaces are deployed, and Kafka resources are managed.
You can configure your managed clusters with the following properties:
ns4kafka:
  managed-clusters:
    clusterNameOne:
      manage-users: true
      manage-acls: true
      manage-topics: true
      manage-connectors: true
      drop-unsync-acls: true
      provider: "SELF_MANAGED"
      config:
        bootstrap.servers: "localhost:9092"
        sasl.mechanism: "PLAIN"
        security.protocol: "SASL_PLAINTEXT"
        sasl.jaas.config: "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"admin\" password=\"admin\";"
        cluster.id: "lkc-abcde"
      connects:
        connectOne:
          url: "http://localhost:8083"
          basicAuthUsername: "user"
          basicAuthPassword: "password"
      schema-registry:
        url: "http://localhost:8081"
        basicAuthUsername: "user"
        basicAuthPassword: "password"
      timeout:
        acl:
          create: 30000
          delete: 30000
          describe: 30000
        topic:
          alter-configs: 30000
          create: 30000
          describe-configs: 30000
          delete: 30000
          list: 30000
        user:
          alter-client-quotas: 30000
          alter-scram-credentials: 30000
          describe-quotas: 10000The name for each managed cluster has to be unique. This is this name you have to set in the field metadata.cluster of your namespace descriptors.
| Property | Type | Required | Description | 
|---|---|---|---|
| manage-acls | boolean | No | Does the cluster manages access control entries (Default: false) | 
| manage-connectors | boolean | No | Does the cluster manages connects (Default: false) | 
| manage-topics | boolean | No | Does the cluster manages topics (Default: false) | 
| manage-users | boolean | No | Does the cluster manages users (Default: false) | 
| drop-unsync-acls | boolean | No | Should unsynchronized acls be dropped (Default: true) | 
| timeout.acl.create | int | No | The timeout in milliseconds used by the AdminClient to create acls (Default: 30000ms) | 
| timeout.acl.describe | int | No | The timeout in milliseconds used by the AdminClient to describe acls (Default: 30000ms) | 
| timeout.acl.delete | int | No | The timeout in milliseconds used by the AdminClient to delete acls (Default: 30000ms) | 
| timeout.topic.alter-configs | int | No | The timeout in milliseconds used by the AdminClient to alter topic configs (Default: 30000ms) | 
| timeout.topic.create | int | No | The timeout in milliseconds used by the AdminClient to create topics (Default: 30000ms) | 
| timeout.topic.describe-configs | int | No | The timeout in milliseconds used by the AdminClient to describe topic configs (Default: 30000ms) | 
| timeout.topic.delete | int | No | The timeout in milliseconds used by the AdminClient to delete topics (Default: 30000ms) | 
| timeout.topic.list | int | No | The timeout in milliseconds used by the AdminClient to list topics (Default: 30000ms) | 
| timeout.user.alter-quotas | int | No | The timeout in milliseconds used by the AdminClient to alter client quotas (Default: 30000ms) | 
| timeout.user.alter-scram-credentials | int | No | The timeout in milliseconds used by the AdminClient to alter scram credentials (Default: 30000ms) | 
| timeout.user.describe-quotas | int | No | The timeout in milliseconds used by the AdminClient to describe client quotas (Default: 30000ms) | 
| provider | boolean | Yes | The kind of cluster. Either SELF_MANAGED or CONFLUENT_CLOUD | 
| config.bootstrap.servers | string | Yes | The location of the clusters servers | 
| config.cluster.id | string | No | The cluster id. Required to use Confluent Cloud tags. In this case, Stream Catalog properties must be set. | 
| schema-registry.url | string | No | The location of the Schema Registry | 
| schema-registry.basicAuthUsername | string | No | Basic authentication username to the Schema Registry | 
| schema-registry.basicAuthPassword | string | No | Basic authentication password to the Schema Registry | 
| connects..url | string | No | The location of the kafka connect | 
| connects..basicAuthUsername | string | No | Basic authentication username to the Kafka Connect | 
| connects..basicAuthPassword | string | No | Basic authentication password to the Kafka Connect | 
The configuration will depend on the authentication method selected for your broker, schema registry and Kafka Connect.
For Confluent Cloud only, topic tags and description can be synchronized with Ns4Kafka.
The synchronization is done with the Confluent Stream Catalog GraphQL API if you have the appropriate Stream Governance package on Confluent, otherwise with the Confluent Stream Catalog REST API.
You can configure the synchronization using the following properties:
ns4kafka:
  confluent-cloud:
    stream-catalog:
      page-size: 500
      sync-catalog: trueThe page size is used for the Stream Catalog REST API and is capped at 500 as described in the Confluent Cloud documentation.
Reminder that the config.cluster.id parameter from managed Kafka cluster properties must be set to use Confluent Cloud.
AKHQ can be integrated with Ns4Kafka to provide access to resources within your namespace. The link between AKHQ and Ns4Kafka namespaces is established using LDAP groups and LDAP authentication in AKHQ.
To enable this integration:
- Configure LDAP authentication in AKHQ.
- Add the Ns4Kafka claim endpoint to AKHQ's configuration:
akhq:
  security:
    rest:
      enabled: true
      url: https://ns4kafka/akhq-claim/v3For AKHQ versions:
- v0.25and later, use the- /akhq-claim/v3endpoint.
- v0.20to- v0.24, use the- /akhq-claim/v2endpoint.
- v0.20and earlier, use the- /akhq-claim/v1endpoint.
- In your Ns4Kafka configuration, specify the following settings for AKHQ:
- For AKHQ versions v0.25and later:
ns4kafka:
  akhq:
    admin-group: LDAP-ADMIN-GROUP
    admin-roles:
      TOPIC: topic-admin
      CONNECT: connect-admin
      SCHEMA: registry-admin
      GROUP: group-read
      CONNECT_CLUSTER: connect-cluster-read
    group-label: "support-group"
    group-delimiter: ","
    roles:
      TOPIC: topic-read
      CONNECT: connect-rw
      SCHEMA: registry-read
      GROUP: group-read
      CONNECT_CLUSTER: connect-cluster-read| Property | Type | Required | Description | 
|---|---|---|---|
| admin-group | string | yes | Administrator LDAP group. Users in this group will be granted admin privileges in AKHQ. | 
| admin-roles | string | yes | Administrator privileges granted to AKHQ administrators. | 
| group-label | string | yes | Name of the label in metadata.labelsof namespace resources that contains the LDAP groups used during AKHQ authentication. | 
| group-delimiter | string | no | Delimiter for separating multiple LDAP groups (defaults to ,). | 
| roles | string | yes | Privileges granted to AKHQ users. | 
- For AKHQ versions prior to v0.25:
ns4kafka:
  akhq:
    admin-group: LDAP-ADMIN-GROUP
    former-admin-roles:
      - topic/read
      - topic/data/read
      - group/read
      - registry/read
      - connect/read
      - connect/state/update
      - users/reset-password
    group-label: support-group
    former-roles:
      - topic/read
      - topic/data/read
      - group/read
      - registry/read
      - connect/read
      - connect/state/update- In your namespace configuration, define an LDAP group in metadata.labelswith a label name that matches the value defined in thens4kafka.akhq.group-labelproperty:
apiVersion: v1
kind: Namespace
metadata:
  name: myNamespace
  cluster: local
  labels:
    contacts: namespace.owner@example.com
    support-group: NAMESPACE-LDAP-GROUPOnce the configuration is in place, after successful authentication in AKHQ, users belonging to the NAMESPACE-LDAP-GROUP will be able to access resources within the myNamespace namespace.
Ns4Kafka encrypts sensitive data at rest in topics using AES-256 GCM encryption. This is used to encrypt Kafka Connect sensitive data (i.e., password, AES-256 key, AES-256 salt).
Encryption requires a key for both encryption and decryption, defined in the following properties:
ns4kafka:
  security:
    aes256-encryption-key: 'changeitchangeitchangeitchangeit'The key must be 256 bits long (32 characters).
Ns4Kafka includes multiple HTTP clients:
- GitLab, for authentication
- Kafka Connect
- Schema Registry
HTTP client timeouts can be configured individually using the following properties:
micronaut:
  http:
    services:
      gitlab:
        connect-timeout: '5s'
        read-idle-timeout: '5s'
        read-timeout: '5s'
      kafka-connect:
        connect-timeout: '10s'
        read-idle-timeout: '10s'
        read-timeout: '10s'
      schema-registry:
        connect-timeout: '10s'
        read-idle-timeout: '10s'
        read-timeout: '10s'The Ns4Kafka HTTP clients are configured to retry requests in case of a timeout. The retry behavior is controlled by the following properties:
ns4kafka:
  retry:
    attempt: '5'
    delay: '2s'
    multiplier: '2.0'Micronaut sensitive endpoints can be enabled or disabled through the application configuration. The list of sensitive endpoints is available in the Micronaut documentation.
These endpoints are disabled by default in Ns4Kafka and can be enabled by setting the endpoints.*.enabled property
to true.
When enabled, these endpoints require authentication as an admin user.
Ns4Kafka provides a RapiDoc interface to interact with the API.
By default:
- The RapiDoc interface is available at http://localhost:8080/rapidoc.
- The OpenAPI description is available at http://localhost:8080/swagger/ns4kafka-0.1.yml.
You can authenticate using the POST /login endpoint and then use the HTTP Bearer button to add the JWT token
in the Authorization header.
Refers to the Authentication section for details on the required credentials.
The setup of namespaces, owner ACLs, role bindings, and quotas is the responsibility of Ns4Kafka administrators, as these resources define the context in which project teams will work. To create your first namespace, please refer to the Kafkactl documentation.
We welcome contributions from the community! Before you get started, please take a look at our contribution guide to learn about our guidelines and best practices. We appreciate your help in making Ns4Kafka a better tool for everyone.