Configuring Kafka for Kerberos Over Ambari
Also available as:
PDF

Chapter 7. Authorizing Access when Kerberos is Enabled

Kafka supports Access Control List (ACL) authorization when Kerberos is enabled. ACLs are stored in ZooKeeper.

A Kafka ACL entry has the following general format, specified in the kafka-acls.sh commands in the remainder of this section:

[Allow/Deny] Operations <value1, value2, …> on Resource R from Hosts H1,H2 for Principals P1,P2

where

  • Operations can be one of: READ, WRITE, CREATE, DESCRIBE, or ALL. (The CLI lists other options like DELETE/ALTER; they are not currently supported.)

  • Resource is either a topic name, a consumer group name, or the string “kafka-cluster” to indicate a cluster level resource (only used with a CREATE operation).

  • Hosts is a comma-separated list of hosts, or * to indicate all hosts.

  • Principals is a comma-separated list of principals, or * to indicate all principals.

For mappings between Operations values and Kafka protocol APIs, refer to the Apache Kafka authorization documentation.