4.2k

All integrations
Kafka
Authorization extensions

Policy-driven authorization for Apache Kafka

Enforce fine-grained, topic-level access control on your Kafka cluster using the same Cerbos policies that govern your application.

Native Kafka support

Native Kafka support

Cerbos speaks Kafka's native protocol, no custom glue code required

Unified policies

Unified policies

The same CEL-based policies that govern your application layer extend to your infrastructure

Defense in depth

Defense in depth

Authorization at every layer of your stack, managed from a single control plane

How Cerbos works with Apache Kafka

Apache Kafka provides a native integration point for Cerbos, extending policy-driven authorization to another layer of your stack without custom glue code.

Cerbos policies are written in human-readable YAML supporting RBAC, ABAC, and conditional rules. The same policies that govern your application layer now extend to Apache Kafka, enforced consistently everywhere.

A unified control plane means one set of policies, one audit trail, and one management workflow, regardless of how many services and infrastructure layers your system spans.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Authorization for your data streaming layer

Apache Kafka powers event-driven architectures across industries. But securing who can produce to or consume from specific topics is often limited to ACLs that are difficult to manage at scale and disconnected from your application's authorization model.

Cerbos brings the same fine-grained, attribute-based policies you use in your application layer to your Kafka cluster. Define who can access which topics based on roles, departments, data classification, or any custom attribute, all in human-readable YAML.

How it works

  1. A Kafka client attempts an operation, produce, consume, create topic, etc.
  2. Kafka's authorizer delegates to Cerbos, passing the authenticated principal, the resource (topic name, consumer group), and the operation type.
  3. Cerbos evaluates your policies, considering the principal's roles, the resource attributes, and any contextual conditions.
  4. Kafka enforces the decision, allowing or denying the operation.

Beyond static ACLs

Kafka's built-in ACL system requires you to manage allow/deny lists per principal and resource. Cerbos replaces this with declarative policies that can express complex rules: engineers in the payments team can produce to payments.* topics, while data analysts can only consume from analytics.* topics in read-only consumer groups.

Get started

Cerbos authorization for Apache Kafka is available as part of Cerbos enterprise. Talk to us to learn more about securing your Kafka cluster with Cerbos policies.

FAQ

How does Cerbos authorize Kafka operations?

Cerbos integrates with Kafka's pluggable authorizer interface. When a client attempts to produce, consume, or administer a topic, Kafka delegates the authorization decision to Cerbos, which evaluates your policies against the principal, the Kafka resource (topic, consumer group, cluster), and the operation.

What kinds of Kafka operations can I control?

Any operation Kafka's authorization framework surfaces, produce, consume, create/delete topics, alter configs, manage consumer groups, and transactional operations. Cerbos policies let you write rules based on topic names, client identity, consumer group, and custom attributes.

Can I use different policies per topic or environment?

Yes. Cerbos supports scoped policies and resource-level rules. You can write policies that apply only to specific topics, topic prefixes, or environments, and version them alongside your application policies.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
AWS App Mesh
AWS App MeshCerbos authorization via Envoy ext_authz within AWS App Mesh sidecars
Authorization extensions
Consul Connect
Consul ConnectCerbos authorization via Envoy ext_authz within Consul Connect sidecars
Authorization extensions
Contour
ContourCerbos authorization via Envoy ext_authz at the Contour ingress controller
Authorization extensionsAPI gateways
Emissary-Ingress
Emissary-Ingress (Ambassador)Cerbos authorization via Envoy ext_authz at the Emissary-Ingress API gateway
Authorization extensionsAPI gateways
Envoy
Envoy External AuthorizationCerbos as a native ext_authz gRPC service for Envoy proxies
Authorization extensionsAPI gateways
Gloo Gateway
Gloo GatewayCerbos authorization via Envoy ext_authz at the Gloo Gateway edge
Authorization extensionsAPI gateways

Cerbos + Apache Kafka

  • Apache Kafka delegates authorization to Cerbos via native integration
  • One set of policies enforced across the entire stack
  • Unified audit trail for all authorization decisions
  • Policies managed without code changes or redeployments
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines