View the latest documentation 5.5
When the Kafka cluster is configured with an authorizer which enforces ACLs, Lenses might need a set of permissions to function correctly. If the default Kafka authorizer (kafka.security.auth.SimpleAclAuthorizer) is used, Lenses can be used to manage ACLs.
kafka.security.auth.SimpleAclAuthorizer
The common practice is to give to the Lenses Kafka client superuser status, or, alternatively, the complete list of available operations for all resources. The fine grained permission model of Lenses can then be used to restrict the access level per user.
kafka-acls \ --bootstrap-server [broker.url:9092] --command-config [client.properties] \ --add \ --allow-principal [User:Lenses] \ --allow-host [lenses.host] \ --operation All \ --topic * \ --group * \ --delegation-token * \ --cluster
Lenses needs permission to manage and access its own internal Kafka topics:
__topology
__topology__metrics
kafka-acls \ --bootstrap-server [broker.url:9092] --command-config [client.properties] \ --add \ --allow-principal [User:Lenses] \ --allow-host [lenses.host] \ --operation All \ --topic [topic]
It also needs read and describe permissions for the consumer offsets and Kafka Connect topics —if enabled:
__consumer_offsets
connect-configs
connect-offsets
connect-status
kafka-acls \ --bootstrap-server [broker.url:9092] --command-config [client.properties] \ --add \ --allow-principal [User:Lenses] \ --allow-host [lenses.host] \ --operation Describe \ --operation DescribeConfigs \ --operation Read \ --topic [topic]
This same set of permissions is required for any topic that Lenses must have read access.
kafka-acls \ --bootstrap-server [broker.url:9092] --command-config [client.properties] \ --add \ --allow-principal [User:Lenses] \ --allow-host [lenses.host] \ --operation Describe \ --operation DescribeConfigs \ --operation Read \ --topic *
Additional permissions are needed to produce to topics, or manage them.
To take advantage of the Consumer Groups monitoring capabilities, permissions to at least read and describe consumer groups is required.
kafka-acls \ --bootstrap-server [broker.url:9092] --command-config [client.properties] \ --add \ --allow-principal [User:Lenses] \ --allow-host [lenses.host] \ --operation Describe \ --operation Read \ --group *
Additional permissions are needed to manage groups.
To manage ACLs, permission to the cluster is required:
kafka-acls \ --bootstrap-server [broker.url:9092] --command-config [client.properties] \ --add \ --allow-principal [User:Lenses] \ --allow-host [lenses.host] \ --operation Describe \ --operation DescribeConfigs \ --operation Alter \ --cluster
On this page