Security Overview
Surgewave covers transport-layer encryption, client authentication, resource authorization
and supply-chain integrity for plugin packages. The matrix below summarises each layer;
the linked pages document the wire format, configuration knobs and operational tradeoffs.
Security Layers
Layer
Feature
Description
Authentication
SASL
Verify client identity
Encryption
TLS
Encrypt data in transit
Authorization
ACL
Control resource access
Supply chain
Plugin Signing
Sign and verify .swpkg plugin packages end-to-end
Quick Setup
Minimal Security
{
"Surgewave": {
"Security": {
"Enabled": true,
"SaslEnabled": true,
"SaslMechanisms": ["PLAIN"],
"Users": [
{ "Username": "admin", "Password": "admin-secret" },
{ "Username": "app", "Password": "app-secret" }
]
}
}
}
Full Security
{
"Surgewave": {
"Security": {
"Enabled": true,
"SaslEnabled": true,
"SaslMechanisms": ["SCRAM-SHA-256"],
"TlsEnabled": true,
"CertificatePath": "/certs/server.pfx",
"CertificatePassword": "cert-password",
"AclEnabled": true,
"SuperUsers": ["User:admin"]
}
}
}
Client Configuration
.NET Producer
var producer = new SurgewaveProducer<string, string>(options =>
{
options.BootstrapServers = "localhost:9092";
options.SecurityProtocol = SecurityProtocol.SaslSsl;
options.SaslMechanism = SaslMechanism.ScramSha256;
options.SaslUsername = "app";
options.SaslPassword = "app-secret";
});
Confluent.Kafka
var config = new ProducerConfig
{
BootstrapServers = "localhost:9092",
SecurityProtocol = SecurityProtocol.SaslSsl,
SaslMechanism = SaslMechanism.ScramSha256,
SaslUsername = "app",
SaslPassword = "app-secret"
};
Security Protocols
Protocol
SASL
TLS
Use Case
PLAINTEXT
No
No
Development only
SASL_PLAINTEXT
Yes
No
Internal networks
SSL
No
Yes
Encryption only
SASL_SSL
Yes
Yes
Production
Best Practices
Use SASL_SSL in production
Use SCRAM over PLAIN
Enable ACLs for multi-tenant
Rotate credentials regularly
Monitor auth failures
Next Steps