Kafka ACLs


When the Kafka cluster is configured with an authorizer which enforces ACLs, Lenses might need a set of permissions to function correctly. If the default Kafka authorizer (kafka.security.auth.SimpleAclAuthorizer) is used, Lenses can be used to manage ACLs.

The common practice is to give to the Lenses Kafka client superuser status, or, alternatively, the complete list of available operations for all resources. The fine grained permission model of Lenses can then be used to restrict the access level per user.

kafka-acls \
    --bootstrap-server [broker.url:9092] --command-config [client.properties] \
    --add \
    --allow-principal [User:Lenses] \
    --allow-host [lenses.host] \
    --operation All \
    --topic * \
    --group * \
    --delegation-token * \
    --cluster

Minimal Permissions 

Topics 

Lenses needs permission to manage and access its own internal Kafka topics:

  • __topology
  • __topology__metrics
kafka-acls \
    --bootstrap-server [broker.url:9092] --command-config [client.properties] \
    --add \
    --allow-principal [User:Lenses] \
    --allow-host [lenses.host] \
    --operation All \
    --topic [topic]

It also needs read and describe permissions for the consumer offsets and Kafka Connect topics —if enabled:

  • __consumer_offsets
  • connect-configs
  • connect-offsets
  • connect-status
kafka-acls \
    --bootstrap-server [broker.url:9092] --command-config [client.properties] \
    --add \
    --allow-principal [User:Lenses] \
    --allow-host [lenses.host] \
    --operation Describe \
    --operation DescribeConfigs \
    --operation Read \
    --topic [topic]

This same set of permissions is required for any topic that Lenses must have read access.

kafka-acls \
    --bootstrap-server [broker.url:9092] --command-config [client.properties] \
    --add \
    --allow-principal [User:Lenses] \
    --allow-host [lenses.host] \
    --operation Describe \
    --operation DescribeConfigs \
    --operation Read \
    --topic *

Additional permissions are needed to produce to topics, or manage them.

Consumer Groups 

To take advantage of the Consumer Groups monitoring capabilities, permissions to at least read and describe consumer groups is required.

kafka-acls \
    --bootstrap-server [broker.url:9092] --command-config [client.properties] \
    --add \
    --allow-principal [User:Lenses] \
    --allow-host [lenses.host] \
    --operation Describe \
    --operation Read \
    --group *

Additional permissions are needed to manage groups.

ACLs 

To manage ACLs, permission to the cluster is required:

kafka-acls \
    --bootstrap-server [broker.url:9092] --command-config [client.properties] \
    --add \
    --allow-principal [User:Lenses] \
    --allow-host [lenses.host] \
    --operation Describe \
    --operation DescribeConfigs \
    --operation Alter \
    --cluster
--
Last modified: September 26, 2024