Chapter 7. Authorizing Access when Kerberos is Enabled
Kafka supports Access Control List (ACL) authorization when Kerberos is enabled. ACLs are stored in ZooKeeper.
A Kafka ACL entry has the following general format, specified in the kafka-acls.sh commands in the remainder of this section:
[Allow/Deny] Operations <value1, value2, …> on Resource R from Hosts H1,H2 for
Principals P1,P2
where
Operationscan be one of: READ, WRITE, CREATE, DESCRIBE, or ALL. (The CLI lists other options like DELETE/ALTER; they are not currently supported.)Resourceis either a topic name, a consumer group name, or the string “kafka-cluster” to indicate a cluster level resource (only used with a CREATE operation).Hostsis a comma-separated list of hosts, or * to indicate all hosts.Principalsis a comma-separated list of principals, or * to indicate all principals.
For mappings between Operations values and Kafka protocol APIs, refer to the Apache Kafka authorization documentation.