Kafka provides a CLI tool to manage ACLs. This document describes how to use the CLI.
Table of Contents |
---|
Introduction
Kafka ships with a pluggable Authorizer and an out-of-box authorizer implementation that uses zookeeper to store all the acls. Kafka acls are defined in the general format of "Principal P is [Allowed/Denied] Operation O From Host H On Resource R". You can read more about the acl structure on KIP-11. In order to add, remove or list acls you can use the Kafka authorizer CLI.
...
Option | Description | Default | Option type |
---|---|---|---|
--add | Indicates to the script that user is trying to add an acl. | Action | |
--remove | Indicates to the script that user is trying to remove an acl. | Action | |
--list | Indicates to the script that user is trying to list acls. | Action | |
--authorizer | Fully qualified class name of the authorizer. | kafka.security.auth.SimpleAclAuthorizer | Configuration |
--authorizer-properties | comma separated key=val pairs that will be passed to authorizer for initialization. | Configuration | |
--cluster | Specifies cluster as resource. | Resource | |
--topic <topic-name> | Specifies the topic as resource. | Resource | |
--consumer-group <consumer-group> | Specifies the consumer-group as resource. | Resource | |
--allow-principalsprincipal | Principal Comma separated list of principals where principal is in PrincipalType:name format. These principals will be used to generate an ACL with Allow permission. Multiple principals can be specified in a single command by specifying this option multiple times, i.e. --allow-principal User:test1@EXAMPLE.COM --allow-principal User:test2@EXAMPLE.COM | Principal | |
--deny-principalsprincipal | Principal Comma separated list of principals where principal is in PrincipalType:name format. These principals will be used to generate an ACL with Deny permission. Multiple principals can be specified in the same way as described in --allow-principal option. | Principal | |
--allow-hosts | Comma separated list of hosts from which principals listed in --allow-principals will have access. | if --allow-principals is specified defaults to * which translates to "all hosts" | Host |
--deny-hosts | Comma separated list of hosts from which principals listed in --deny-principals will be denied access. | if --deny-principals is specified defaults to * which translates to "all hosts" | Host |
--operations | Comma separated list of operations. Valid values are : Read, Write, Create, Delete, Alter, Describe, ClusterAction, All | All | Operation |
--producer | Convenience option to add/remove acls for producer role. This will generate acls that allows WRITE, | Convenience | |
--consumer | Convenience option to add/remove acls for consumer role. This will generate acls that allows READ, | Convenience |
...
Code Block | ||
---|---|---|
| ||
bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principalsprincipal User:Bob, --allow-principal User:Alice --allow-hosts Host1,Host2 --operations Read,Write --topic Test-topic |
By default all principals that don't have an explicit acl that allows access for an operation to a resource are denied. In rare cases where an allow acl is defined that allows access to all but some principal we will have to use the --deny-principals and --deny-host option. For example, If if we want to allow all users to Read from Test-topic but only deny User:BadBob from host bad-host we can do so using following commands:
Code Block | ||
---|---|---|
| ||
bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principalsprincipal User:* --allow-hosts * --deny-principalsprincipal User:BadBob --deny-hosts bad-host --operations Read--topic Test-topic |
Above examples add acls to a topic by specifying --topic <topic-name> as the resource option. Similarly user can add acls to cluster by specifying --cluser cluster and to a consumer group by specifying --consumer-group <group-name>.
...
Code Block | ||
---|---|---|
| ||
bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=localhost:2181 --remove --allow-principalsprincipal User:Bob, --allow-principal User:Alice --allow-hosts Host1,Host2 --operations Read,Write --topic Test-topic |
...
Code Block | ||
---|---|---|
| ||
bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principalsprincipal User:Bob --producer --topic Test-topic |
...
Code Block | ||
---|---|---|
| ||
bin/kafka-acls.sh --authorizer kafka.security.auth.SimpleAclAuthorizer --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principalsprincipal User:Bob --consumer --topic test-topic --consumer-group Group-1 |
Note that for consumer option we must also specify the consumer group.
In order to remove a principal from producer or consumer role we just need to pass --remove option.