About this guide

This guide covers using the Kroxylicious Multi-tenancy Filter to present a single Kafka cluster as if it were multiple clusters.. Refer to other Kroxylicious guides for information on running the proxy or for advanced topics such as plugin development.

Kroxylicious’s Multi-tenancy filter presents a single Kafka cluster to tenants as if it were multiple clusters. Operations are isolated to a single tenant by prefixing resources with an identifier.

This filter is currently in incubation and available as a preview. We would not recommend using it in a production environment.

The Multi-tenancy filter works by intercepting all Kafka RPCs (remote procedure calls) that reference resources, such as topic names and consumer group names:

Request path

On the request path, resource names are prefixed with a tenant identifier.

Response path

On the response path, the prefix is removed.

Kafka RPCs that list resources are filtered so that only resources belonging to the tenant are returned, effectively creating a private cluster experience for each tenant.

To set up the filter, configure it in Kroxylicious.

While the Multi-tenancy filter isolates operations on resources, it does not isolate user identities across tenants. User authentication and ACLs (Access Control Lists) are shared across all tenants, meaning that identity is not scoped to individual tenants. For more information on open issues related to this filter, see Kroxylicious issues.
For more information on Kafka’s support for multi-tenancy, see the Apache Kafka website.

1. (Preview) Setting up the Multi-tenancy filter

This procedure describes how to set up the Multi-tenancy filter by configuring it in Kroxylicious. The filter dynamically prefixes resource names to create isolation between tenants using the same Kafka cluster. The prefix representing a tenant is taken from the name of the virtual cluster representing the tenant. For example, if the virtual cluster is named tenant-1, the prefix is tenant-1. Each tenant must be represented by a unique virtual cluster, and virtual cluster names must be globally unique within the Kroxylicious configuration. This means that the same virtual cluster name cannot be used to represent different Kafka clusters.

Prerequisites
Procedure

  1. Configure a MultiTenant type filter.

  2. Verify that multi-tenancy filtering has been applied.

    For example, create a topic through each virtual cluster and check that the topics are prefixed with the name of the corresponding virtual cluster.

1.1. Example proxy configuration file

If your instance of the Kroxylicious Proxy runs directly on an operating system, provide the filter configuration in the filterDefinitions list of your proxy configuration.

Here’s a complete example of a filterDefinitions entry configured for multi-tenancy:

Example filterDefinitions configuration 
filterDefinitions:
  - name: my-multi-tenant-filter
    type: MultiTenant
    config:
      prefixResourceNameSeparator: "." (1)
1 The separator used for the prefix. If a separator is not specified, - is the default.
Currently, only the prefix with separator is validated.

Refer to the Kroxylicious Proxy guide for more information about configuring the proxy.

1.2. Example KafkaProtocolFilter resource

If your instance of Kroxylicious runs on Kubernetes, you must use a KafkaProcotolFilter resource to contain the filter configuration.

Here’s a complete example of a KafkaProtocolFilter resource configured for record validation:

Example KafkaProtocolFilter resource for record validation 
kind: KafkaProtocolFilter
metadata:
  name: my-validation-filter
spec:
  type: MultiTenant
  configTemplate:
    prefixResourceNameSeparator: "." (1)
1 The separator used for the prefix. If a separator is not specified, - is the default.

Refer to the Kroxylicious Operator for Kubernetes guide for more information about configuration on Kubernetes.

2. Trademark notice

  • Apache Kafka is a registered trademark of The Apache Software Foundation.

  • Kubernetes is a registered trademark of The Linux Foundation.

  • Prometheus is a registered trademark of The Linux Foundation.

  • Strimzi is a trademark of The Linux Foundation.

  • Hashicorp Vault is a registered trademark of HashiCorp, Inc.

  • AWS Key Management Service is a trademark of Amazon.com, Inc. or its affiliates.

  • Fortanix and Data Security Manager are trademarks of Fortanix, Inc.