Oracle Cloud Infrastructure Documentation

Configuring Kafka ACLs

Kafka access control lists (ACLs) are used to specify permissions to cluster resources in Streaming with Apache Kafka.

Principal
A user or application that's authenticated by the Kafka cluster. The principal name format depends on the type of authentication mechanism used, such as SASL/SCRAM or mTLS.
Operations
An action performed on a Kafka cluster resource, such as create, delete, produce, or consume.
Resources
A Kafka cluster resource, such as the cluster, broker, broker group, or topic. If a resource doesn't have an associated ACL, only a super user can access the resource.

Kafka ACLs control which principal can perform operations on the resources. If you create both allow and deny ACLs on a resource, the deny ACLs take precedence over the allow ACLs.

Complete the following tasks to configure an ACL for a cluster.

  1. Enable the Authorizer
  2. Create the Kafka ACL
  3. Update the Cluster Configuration

Enable the Authorizer

In Apache Kafka, the authorizer is a component that enforces Access Control Lists (ACLs) and ensures that only authorized users or clients perform the actions defined in ACLs.

Update the config_name.properties configuration file for the cluster with the following information: 
authorizer.class.name=kafka.security.authorizer.AclAuthorizer

Create the Kafka ACL

To add, remove, or list ACLs in a cluster, you use the Apache Kafka authorizer CLI.

The access rules in Apache Kafka ACLs are created using the following format:

Principal P is [Allowed/Denied] Operation O From Host H on any Resource R matching ResourcePattern RP

Here,

  • Principal P is the user or client to whom access is given or denied.
  • Allowed/Denied is the permission that is set on the principal.
  • Operation O is the action on the resource, such as read, write, create, and delete.
  • Host H is the source making the request. The wildcard * is used to represent any host.
  • Resource R is the Kafka entity, such as topic or cluster.
  • ResourcePattern RP is how the resource is matched. For example, ResourcePattern RP could be PREFIXED with a value of logs-, meaning the ACL applies to all topics whose names start with logs-. If RP doesn't match a specific resource R, then R has no associated ACLs.
Run the following command to create an ACL rule that allows a user Alice to write to all topics starting with logs- from any host: 
kafka-acls --bootstrap-server <bootstrap-server-url> \
--command-config <config-file-path> \
--add \
--allow-principal User:Alice \
--operation Write \
--topic logs- \
--resource-pattern-type prefixed

Update the Cluster Configuration

When you create a cluster, a default configuration file is created for the cluster. The ACL property is set to allow everyone to access resources when no ACL is found for the cluster.

Change the allow.everyone.if.no.acl.found property to false to enforce a deny by default security access. When you set the value of this property to false, only the clients or users permitted in the ACL and super users can access the resources. 
allow.everyone.if.no.acl.found=false
You could also keep the default value true for allow.everyone.if.no.acl.found to allow unrestricted access to resources without ACLs while enforcing ACLs for resources that have them.