<spanid="streams-developer-guide-security"></span><h1>Streams Security<aclass="headerlink"href="#streams-security"title="Permalink to this headline"></a></h1>
<divclass="contents local topic"id="table-of-contents">
<p>Kafka Streams natively integrates with the <aclass="reference internal"href="../../../documentation.html#security"><spanclass="std std-ref">Kafka’s security features</span></a> and supports all of the
client-side security features in Kafka. Streams leverages the <aclass="reference internal"href="../../../documentation.html#api"><spanclass="std std-ref">Java Producer and Consumer API</span></a>.</p>
<p>For more information about the security features in Apache Kafka, see <aclass="reference internal"href="../../../documentation.html#security"><spanclass="std std-ref">Kafka Security</span></a>.</p>
<spanid="streams-developer-guide-security-acls"></span><h2><aclass="toc-backref"href="#id1">Required ACL setting for secure Kafka clusters</a><aclass="headerlink"href="#required-acl-setting-for-secure-kafka-clusters"title="Permalink to this headline"></a></h2>
<p>To avoid providing this permission to your application, you can create the required internal topics manually.
If the internal topics exist, Kafka Streams will not try to recreate them.
Note, that the internal repartition and changelog topics must be created with the correct number of partitions—otherwise, Kafka Streams will fail on startup.
The topics must be created with the same number of partitions as your input topic, or if there are multiple topics, the maximum number of partitions across all input topics.
Additionally, changelog topics <emph>must</emph> be created with log compaction enabled—otherwise, your application might lose data.
For changelog topics for windowed KTables, apply "delete,compact" and set the retention time based on the corresponding store retention time. To avoid premature deletion,
add a delta to the store retention time. By default, Kafka Streams adds 24 hours to the store retention time.
You can find out more about the names of the required internal topics via <code>Topology#describe()</code>.
All internal topics follow the naming pattern <code><application.id>-<operatorName>-<suffix></code> where the <code>suffix</code> is either <code>repartition</code> or <code>changelog</code>.
Note, that there is no guarantee about this naming pattern in future releases—it's not part of the public API.</p>
<p>Since all internal topics as well as the embedded consumer group name are prefixed with the <aclass="reference internal"href="/{{version}}/documentation/streams/developer-guide/config-streams.html#required-configuration-parameters"><spanclass="std std-ref">application id</span></a>,
it is recommended to use ACLs on prefixed resource pattern
to configure control lists to allow client to manage all topics and consumer groups started with this prefix
<spanid="streams-developer-guide-security-example"></span><h2><aclass="toc-backref"href="#id2">Security example</a><aclass="headerlink"href="#security-example"title="Permalink to this headline"></a></h2>
<p>The purpose is to configure a Kafka Streams application to enable client authentication and encrypt data-in-transit when
communicating with its Kafka cluster.</p>
<p>This example assumes that the Kafka brokers in the cluster already have their security setup and that the necessary SSL
certificates are available to the application in the local filesystem locations. For example, if you are using Docker
then you must also include these SSL certificates in the correct locations within the Docker image.</p>
<p>The snippet below shows the settings to enable client authentication and SSL encryption for data-in-transit between your
Kafka Streams application and the Kafka cluster it is reading and writing from:</p>
<p>Configure these settings in the application for your <codeclass="docutils literal"><spanclass="pre">Properties</span></code> instance. These settings will encrypt any
<p>If you incorrectly configure a security setting in your application, it will fail at runtime, typically right after you
start it. For example, if you enter an incorrect password for the <codeclass="docutils literal"><spanclass="pre">ssl.keystore.password</span></code> setting, an error message
similar to this would be logged and then the application would terminate:</p>