Kafka RBAC Without the ACL Nightmare
Native Kafka ACLs don't understand teams. They're per-broker, hard to audit at scale, and there's no central view of who has access to what. Conduktor adds a role-based control plane on top, without touching the broker.
Native Kafka ACLs work fine for small deployments. They break down at scale. The case for Kafka RBAC becomes clear when you have 20 teams, 500 topics, and a compliance team asking "who has access to what?" ACLs are managed per-broker with no central view, there's no concept of roles or groups, and changes require broker admin access you don't want to hand out.
Role-Based Permissions
Define roles (producer, consumer, admin, read-only) and assign them to users, service accounts, or groups. Permissions apply across all topics in a namespace automatically.
Team Namespacing
Isolate teams into virtual clusters with dedicated namespaces. Team A can only see and access Team A's topics. Cross-team access requires explicit grants.
Service Account Management
Create service accounts for applications with scoped permissions. Rotate credentials without touching broker configuration. Audit service account activity independently.
Centralized Access View
See every user, every group, every service account, and what they can access, across all clusters, in one interface. Export for compliance audits.
Self-Service Access Requests
Developers request topic access through a portal. Platform teams approve or set policies for auto-approval. Full audit trail of every grant and revocation.
Zero Broker Changes
Conduktor Gateway enforces RBAC transparently. Applications connect to Gateway instead of directly to Kafka. No broker reconfiguration required.
Identity Integration
Connect to your existing identity provider (LDAP or OIDC-based SSO). User roles sync automatically. When someone leaves the company, their Kafka access is revoked with their identity.
Policy Enforcement at the Proxy
Conduktor Gateway intercepts every client request and checks it against the RBAC policy engine. Unauthorized requests are rejected before reaching the broker, with a clear error message.
Audit Everything
Every access grant, revocation, and permission check is logged. Who requested access, who approved it, when it was used last. All queryable and exportable.
Principle of Least Privilege
Start with no access. Grant exactly what each team or service needs. Conduktor enforces boundaries. Applications can't accidentally (or intentionally) consume from topics they haven't been granted access to.
How is Conduktor RBAC different from native Kafka ACLs?
Native ACLs are low-level and per-resource. Conduktor RBAC adds role abstractions, team namespacing, a central control plane, and human-readable permissions on top. The underlying broker ACLs are managed by Conduktor automatically.
Does it work with existing Kafka deployments?
Yes. Conduktor Gateway works as a transparent proxy in front of any Kafka cluster (MSK, Confluent Cloud, on-prem, Redpanda). No broker changes required.
Can I give read-only access to certain topics?
Yes. Roles can be scoped to: produce only, consume only, read metadata, or full access. Permissions apply per topic, per topic pattern, or per namespace.
How do we handle service-to-service Kafka access?
Create service accounts in Conduktor with scoped permissions. Applications use mTLS or token-based auth to Gateway. Credentials are rotated without changing broker configuration.
What happens when a developer leaves the team?
Revoke their role in Conduktor. Gateway immediately stops authorizing their requests. If integrated with your IdP, this happens automatically on user deactivation.
Does RBAC cover Schema Registry subjects?
Yes. A dedicated Schema Registry proxy enforces access control on schema operations — who can register, update, or delete schemas per subject. It uses the same OIDC identity as the rest of Conduktor, so permissions stay consistent across Kafka and Schema Registry.
See Kafka RBAC in Action
Stop managing Kafka ACLs by hand. 30-minute demo: setting up team namespaces, assigning roles, and auditing access, all without touching a broker.