Multi-tenancy

Apache Kafka has limited support for multi-tenancy via Access Control List. Lenses platform enhances this at the data layer level. You can have teams using, in parallel, the same Kafka cluster while making sure they can not see or use any topics which they are not supposed to.

User access restriction, achieved via configuration, targets topics and their data. If a user is not allowed to see any information about topicA, the platform makes sure, once logged in, the user can not see any information about that topic.

Furthermore, the access constraints are propagated to other aspects of the platform, for example, a user cannot configure a Kafka Connect connector or Lenses SQL Processor instance using restricted topics.

Configuration

Additional multi-tenancy capabilities are achieved via the user group configuration. The configuration lenses.security.groups controls this behavior. This entry specifies the list of Lenses user groups, roles, and topic whitelisting/blacklisting.

Here is a configuration example declaring 3 different user groups. The first one, equityUK, can only use Kafka topics prefixed with equity_. The second group, fixedIncomeUS, can use topics prefixed with fi_. The last group defined can use any topic but those prefixed with equity_ or fi_.

lenses.security.groups=[
     ...
     {"name": "equityUK", "roles": ["read", "write"], topic: { whitelist: ["equity_.*"] },
     {"name": "fixedIncomeUS",  "roles": ["read", "write"], topic: { whitelist: [ "fi_.*" ] },
     ...
     {"name": "nonEquityFI",  "roles": ["read", "write"], topic: { blacklist: [ "fi_.*", "equity_.*" ] },
     ...
]