ACLs, SASL & mTLS

Defence in depth

1. TLS — encrypt traffic on the wire (broker ↔ broker, client ↔ broker).
2. SASL or mTLS — authenticate the principal (User:alice, CN=svc-orders).
3. ACLs — authorise the principal against resources (Topic:orders → Read/Write).

Two common production setups:

• SASL/SCRAM over TLS — easy onboarding, secrets live in Kafka.
• mTLS — preferred at scale, integrates with PKI / Vault / SPIFFE.

Author the client client.properties for a Java/Connect/CLI client connecting to a TLS-terminated broker with SASL/SCRAM auth. Reference the JAAS config inline; secrets via env at runtime.