Skip to main content
Quick navigation

Gateway Security Mode

What is changing?

info

This migration guide is for Gateway v3.10.0 and later

We have introduced a new environment variable, $GATEWAY_SECURITY_MODE, to define where authentication takes place. As part of this, we are deprecating (although still supporting) DELEGATED_XXX inputs for ${GATEWAY_SECURITY_PROTOCOL}.

The valid inputs for $GATEWAY_SECURITY_MODE are: KAFKA_MANAGED and GATEWAY_MANAGED. For more details see documentation.

Why?

We are splitting the security configuration into two steps in order to simplify the user experience.

Am I affected?

This change is backwards compatible, we still support delegated protocols. Your current configuration will automatically map like so:

3.9.0 GATEWAY_SECURITY_PROTOCOL3.10.0 GATEWAY_SECURITY_PROTOCOL3.10.0 GATEWAY_SECURITY_MODE
PLAINTEXTPLAINTEXTGATEWAY_MANAGED
SASL_PLAINTEXTSASL_PLAINTEXTGATEWAY_MANAGED
SASL_SSLSASL_SSLGATEWAY_MANAGED
SSLSSLGATEWAY_MANAGED
DELEGATED_SASL_PLAINTEXTSASL_PLAINTEXTKAFKA_MANAGED
DELEGATED_SASL_SSLSASL_SSLKAFKA_MANAGED

What do I need to do?

We strongly encourage users to set up configurations using the new GATEWAY_SECURITY_MODE environment variable and migrate from usage of DELEGATED_SASL_PLAINTEXT and DELEGATED_SASL_SSL.

You can use this table to guide your possible configurations.

GATEWAY_SECURITY_MODEGATEWAY_SECURITY_PROTOCOLPrevious version GATEWAY_SECURITY_PROTOCOL equivalent
GATEWAY_MANAGEDSASL_PLAINTEXTSASL_PLAINTEXT
GATEWAY_MANAGEDSASL_SSLSASL_SSL
GATEWAY_MANAGEDSSLSSL
GATEWAY_MANAGEDPLAINTEXTPLAINTEXT
KAFKA_MANAGEDSASL_PLAINTEXTDELEGATED_SASL_PLAINTEXT
KAFKA_MANAGEDSASL_SSLDELEGATED_SASL_SSL
KAFKA_MANAGEDSSLInvalid auth mode with Kafka. Will be rejected.
KAFKA_MANAGEDPLAINTEXTInvalid auth mode with Kafka. Will be rejected.

For example, if you want to set up a Gateway configuration that delegates authentication to your backing Kafka cluster using SASL_SSL:

  • Before (in previous versions):

    GATEWAY_SECURITY_PROTOCOL: DELEGATED_SASL_SSL

  • Now (in 3.10.0 and later):

    GATEWAY_SECURITY_MODE: KAFKA_MANAGED
    GATEWAY_SECURITY_PROTOCOL: SASL_SSL