Kafka ACLs


Introduction 

Kafka provides Access Control Lists (ACLs) to control authorization over your cluster. To enable ACL management in Kafka you need to set up an Authorizer, a plugin to authorize operations to different resources. Once set, you can authorize Principals, clients or entities that can be authenticated to your cluster via your security protocols.

Lenses security model is not deeply integrated with Kafka ACLs. That means that the authorization controls from your user groups in Lenses are not going to be mapped to Kafka ACLs. However, Lenses gives visibility to your Kafka ACLs and allows authorized users to manage them.

A high number of ACLs may decrease the performance of Kafka. For security and performance aware projects, you can use Lenses access management for users and Kafka ACLs for applications.

Required permission 

PermissionTypeDescription
Kafka Settings / ViewAdminTo view Kafka ACLs
Kafka Settings / ManageAdminTo create or delete a Kafka ACL

Access Management & permissions

Set Kafka Authorizer 

To use Kafka ACLs, the Brokers require an authorizer to be set. When the authorizer is not enabled you will not be able to create any ACLs.

If you do not have ACLs enabled you will see the bellow:

No Kafka ACL Authorizer

Apache Kafka documentation on ACLs

Manage Kafka ACLs 

To create new ACLs, navigate to Admin and Kafka ACLs. Select the permission, resource and operation:

Add new Kafka ACL

Explore Kafka ACLs 

With the authorizer set up, you can create, search, and manage your ACLs:

data sources to Lenses.io

API clients 

Kafka ACLs are also supported by the CLI to enable automation scenarios.

CLI - API

FAQ 

Can I distribute ACL creation to namespace owners?

Currently Kafka ACLs governance is global. That means that users with the appropriate permissions can manage them for the whole cluster.

Supported Operations 

Resource type: Cluster 

OperationKafkaLenses
Alter
AlterConfigs
ClusterAction
Create
Describe
DescribeConfigs
Idempotent write TODO: Check with Marios

Resource type: Topic 

OperationKafkaLenses
Alter
AlterConfigs
Create
Delete
Describe
DescribeConfigs
Read
Write

Resource type: Group 

OperationKafkaLenses
Delete
Describe
Read

Resource type: Delegation Token 

OperationKafkaLenses
Describe

Resource type: Transactional ID 

OperationKafkaLenses
Describe
Write