Thanks, Hans. Signing messages is a good idea. Other than that, is there possibly an extension point in Kafka itself on the receiving of records, before they are stored/distributed? I was thinking along the lines of
org.apache.kafka.clients.producer.ProducerInterceptor but on the server side? — m@ > On 21/03/2017, at 12:22 PM, Hans Jespersen <h...@confluent.io> wrote: > > You can configure Kafka with ACLs that only allow certain users to > produce/consume to certain topics but if multiple producers are allowed to > produce to a shared topic then you cannot identify them without adding > something to the messages. > > For example, you can have each producer digitally sign (or encrypt) each > message and include the signature as a separate field (ie. separate from > the original message body). Then the consumers can independently check that > the signature is valid and that he message comes from a known/valid > publisher. This pattern is similar to how signed email messages work. > > -hans