Security

Secure your StreamHouse deployment.

10 min readOperations

Security Model

StreamHouse supports multiple layers of security: network-level access control, TLS encryption for all connections, authentication via API keys or mTLS, and authorization through topic-level access control lists (ACLs).

TLS Configuration

Enable TLS to encrypt all client-to-agent and agent-to-storage communications.

toml

# streamhouse.toml TLS configuration
[tls]
enabled = true
cert_file = "/etc/streamhouse/tls/server.crt"
key_file = "/etc/streamhouse/tls/server.key"
ca_file = "/etc/streamhouse/tls/ca.crt"  # For mTLS

# Or via environment variables
export TLS_CERT_FILE=/path/to/server.crt
export TLS_KEY_FILE=/path/to/server.key

Authentication

StreamHouse supports API key authentication and mutual TLS (mTLS).

API Keys: Generate keys via the web console or CLI. Include the key in the Authorization header.
mTLS: Clients present a certificate signed by the trusted CA. Best for service-to-service communication.
SASL/SCRAM: Compatible with Kafka clients using SASL authentication.

Authorization & ACLs

Topic-level ACLs control which clients can produce to or consume from specific topics.

bash

# Grant produce access to a service account
streamctl acl add --principal "service:payment-processor" \
  --topic "transactions" \
  --operation produce \
  --permission allow

# Grant consume access to a consumer group
streamctl acl add --principal "group:analytics" \
  --topic "transactions" \
  --operation consume \
  --permission allow

# List ACLs for a topic
streamctl acl list --topic transactions

Backup & Recovery

API Reference

Security

On this page

Security Model

TLS Configuration

Authentication

Authorization & ACLs