ReviseAlgo Logo

Security & Multi-Cluster Deployments

Multi-Tenant Kafka — Namespacing and Isolation

Configuring resource quotas, prefixing topics, and multi-tenant policies.

Introduction

Operating separate Kafka clusters for every development team or business department is expensive and complex to maintain. Multi-Tenancy allows multiple independent client applications (tenants) to share a single physical Kafka cluster. Enforcing strict logical boundaries is achieved through Namespacing (topic prefixes) and resource Quotas (rate limits).

Why It Matters

In a shared cluster, one misconfigured or high-throughput consumer loop can flood the network bandwidth, starve other services, or saturate disk I/O—known as the "noisy neighbor" effect. Setting up namespacing isolation guarantees security boundary separation, and configuring quotas prevents a single client from impacting cluster performance.

Real-World Analogy

Think of multi-tenancy like an office business center. Multiple companies share the same lobby, water systems, and infrastructure. Namespacing is like giving each company a distinct room key code (e.g. finance-room vs hr-room) to ensure they cannot look at each other's mail. Quotas are like limiting the maximum water flow rate to each office space so one tenant running a heavy laundry machine doesn't drain the water pressure for everyone else.

How It Works

Implementing multi-tenancy involves configuring the following mechanisms:

  1. Logical Topic Namespacing: Standardizing naming patterns (e.g., team.project.topic) combined with prefix-based wildcard ACL authorization.
  2. Producer Bandwidth Quotas: Enforcing limit rates on bytes-in written to brokers by client credentials or client identifier.
  3. Consumer Bandwidth Quotas: Enforcing limit rates on bytes-out read from brokers by client credentials or client identifier.
  4. Request Rate Quotas: Limiting the percentage of network/I/O thread execution time a specific client can consume.

Internal Architecture

When a client exceeds its configured rate quota (e.g., writing 25MB/sec when limited to 10MB/sec), the broker does not immediately throw a connection error. Instead, it calculates the **delay time** required to bring the client back down to the target rate. The broker holds the client request response, delaying it by that duration. The client-side library registers this delay and blocks the internal producer send queue, throttling the client.

Visual Explanation

Below is an ASCII representation showing how the broker handles quota breaches by delaying response packages to slow down producers:

[Producer Client] ──(Produce Request: 20MB/s)──> [Broker Channel]
                                                       │
   [ Throttled ]  <──(Response Delayed by 2.5s)── [Quota Check: Max 10MB/s]
 (Blocks send()                                        │
    threads)                                           ▼
                                             [Data Saved in Log]
            

Practical Example

Here are CLI admin commands showing how to set write and read bandwidth quotas for a specific authenticated user on the cluster:

To verify the configured quotas, run the describe command:

Common Mistakes

  • Relying on Client ID for quotas in open clusters: Configuring quotas by client ID (e.g. client.id=my-app) without authentication. Any developer can modify the client ID in their code to bypass rate limits. Quotas must be tied to authenticated SASL/SSL usernames.
  • No default quotas configured: Neglecting to set a fallback default quota policy. A single unthrottled team deploying a fast loop can take down the shared brokers.

Quick Quiz

Q1: How does Kafka enforce producer rate limiting when a client exceeds its bandwidth quota?

By delaying the client's produce response, forcing the client-side library to block further message publication.

Q2: Why is topic namespacing important in a multi-tenant Kafka cluster?

It prevents naming collisions and allows configuring wildcard ACLs (e.g., permitting a team to write only to topics prefixed with billing.*).

Scenario-Based Challenge

The Challenge: Setting up dynamic, wildcard-based topic access rules

You host a shared cluster for 50 microservices. Each service belongs to a specific team (e.g., marketing, logistics). If you create separate ACL rules manually for every new topic, the administration becomes a bottleneck. How do you design an automated topic access control system?

Solution Tip: Enforce a strict topic namespacing rule where topics start with the team name (e.g. logistics.shipments). Then create a single wildcard ACL rule using prefix matching: kafka-acls.sh --add --allow-principal User:logistics-service-account --operation All --topic logistics. --resource-pattern-type prefixed. This permits logistics services to create and manage any topic starting with that prefix.

Debugging Exercise

A business team reports that their producer threads frequently block for up to 30 seconds when publishing events during batch processes, throwing a TimeoutException: Expiring 10 record(s). The broker's CPU and memory look healthy.

The Fix: Check broker logs or client metrics for throttle time (e.g., produce-throttle-time-max). The client is exceeding its configured bandwidth quota, causing the broker to delay responses. Resolve this by increasing the user's producer_byte_rate quota or refactoring the application to compress payloads and space out batch writes.

Interview Questions

1. What is the difference between physical isolation and logical isolation in Kafka?

Physical isolation deploys completely separate hardware clusters for each tenant (high cost, high isolation). Logical isolation shares the cluster hardware but segregates tenants using namespacing and quotas (low cost, complex configuration).

2. What metrics should be monitored to detect tenant throttling?

Monitor the JMX client metrics: produce-throttle-time-avg and fetch-throttle-time-avg. On brokers, check broker-level throttling metrics like ThrottledRequestRejectionRate.

Production Considerations

Always configure default group quotas (e.g. /config/users/<default>) to restrict new or unconfigured applications. Set the broker property num.quota.managers to ensure CPU resources for handling quotas are scaled correctly.